Changing Full Name Overrrides Full GECOS Field, Circumventing Security Controls
the full name of a user is the first value of the comma-separated GECOS field in
chfn tool to manipulate that field has security controls so that unprivileged users can change their full name or phone number, but not any arbitrary other values in GECOS. This includes checks that a full name may not contain a comma or an equals sign, and preserving all other fields in GECOS.
When a user changes their full name using the Account Service, it calls
usermod -c to override the full GECOS field with the user-supplied value without doing any such checks. That means the user can fool applications that rely on trusted information from GECOS to do unintended actions. (The first application I could find that does such a thing is pam_umask where it's harmless, but all kinds of things can be stored there since in the traditional UNIX model it's the only place where additional user information can be stored.)
We default to a 90-day disclosure timeline (which would mean 2020-04-29) for vulnerabilities we find, but are usually happy to agree to a shorter time period. I will request a CVE from MITRE unless you will take care of it.