A bug in the readline library used in this case by chfn (change finger). They noticed that readline could take an INPUTRC environment variable for configuration data, which would get parsed line-by-line. What’s interesting is if the parser encountered an error, it would dump the contents of that line to error. Lines that would cause errors include lines that start with quotations but don’t have a terminating one, lines that start with a colon but have no whitespaces or nulls, or most notably lines that don’t contain spaces or colons. The final case could be used to leak any PEM-encoded data like SSH keys, or in the POCs case, /etc/shadow contents.