Zellic

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The recursive mode (-R) of the chmod utility incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 even if errors, such as 'Operation not permitted', occurred during the processing of previous files. Consequently, scripts relying on these exit codes may incorrectly assume the operation was successful while some files retain incorrect permissions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A flaw in the ChownExecutor used by chown and chgrp causes these utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A flaw in the mkfifo utility allows for the unauthorized modification of permissions on existing files. When the utility fails to create a FIFO because a file already exists at the target path, it does not terminate the operation. Instead, it proceeds to execute a set permissions call, which changes the existing file's permissions to the default mode (typically 644 after umask). This can lead to the exposure of sensitive files, such as SSH private keys, to other users on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The mktemp utility fails to properly handle an empty `TMPDIR` environment variable. While other implementations fall back to /tmp when `TMPDIR` is an empty string, this implementation treats the empty string as a valid path, resulting in temporary files being created in the current working directory. This behavior can lead to unauthorized access to temporary data or information disclosure if the current working directory has more permissive access controls than the intended secure temporary directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The cut utility incorrectly handles the -s (only-delimited) option when a newline character is used as the delimiter. The `cut fields newline char delim()` function fails to verify the `only delimited` flag, which results in the utility printing non-delimited lines that should have been suppressed. This behavior may cause unexpected data to be passed to downstream scripts that depend on strict output filtering. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The dd utility suppresses errors during file truncation operations by unconditionally calling the `Result::ok()` function on truncation attempts. Although this was intended to mimic GNU behavior for special files such as '/dev/null', the implementation also hides failures on regular files and directories caused by read-only file systems or full disks. This may result in silent data corruption in migration or backup scripts, as the utility can report a successful operation despite the destination file containing garbage or old data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A flaw in the tail utility occurs when using the '--follow=name' option. The implementation continues to monitor a path even after it has been replaced by a symbolic link, which leads to the output of the target file's contents. A local attacker with write access to a monitored directory can replace a log file with a symbolic link to a sensitive system file, such as '/etc/shadow', causing the utility to disclose the contents of that file if it is being monitored by a privileged user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The comm utility silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation utilizes the `String::from utf8 lossy()` function, which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior leads to corrupted output when comparing binary files or files that use non-UTF-8 legacy encodings, as it does not preserve original raw bytes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The comm utility incorrectly consumes data from non-regular file inputs before performing comparison operations. The `are files identical()` function opens and reads from both input paths to compare content without verifying if the paths refer to regular files. If an input path is a FIFO (a special file that allows communication between processes) or a pipe, this pre-read operation drains the stream, causing silent data loss before the actual comparison logic is executed. Furthermore, the utility may hang indefinitely when attempting to pre-read from infinite streams such as '/dev/zero'. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The sort utility is susceptible to a process panic when the '--files0-from' option is used with inputs containing non-UTF-8 filenames. The issue occurs because the implementation enforces UTF-8 encoding and uses the `expect()` function, leading to an immediate crash when valid but non-UTF-8 paths are encountered. This behavior differs from GNU sort, which processes filenames as raw bytes. A local attacker can leverage this to crash the utility and disrupt automated pipelines. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A flaw in the rm utility allows a bypass of the --preserve-root protection. The system uses a path-string check instead of comparing device and inode numbers to identify the root directory. This allows a user to bypass the safeguard by using a symbolic link that resolves to the root directory, which could lead to the recursive deletion of the entire root filesystem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The cp utility fails to properly handle setuid and setgid bits when ownership preservation fails. When using the '-p' (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The mv utility fails to preserve file ownership when moving files across different filesystem boundaries. In these instances, the utility uses a copy-and-delete routine that creates the destination file using the caller's UID (User Identifier) and GID (Group Identifier) instead of the source's metadata. This behavior can result in files moved by a privileged user becoming owned by that user, potentially leading to restricted access for intended owners or information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility. This occurs when the utility creates a FIFO and subsequently performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can replace the newly created FIFO with a symbolic link between these two operations, redirecting the chmod call to an arbitrary file. This may lead to privilege escalation if the utility is executed with elevated privileges. TOCTOU is a software bug where a system checks the state of a resource before using it, but the state changes between the check and the use. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The mkdir utility incorrectly applies permissions when the `-m` flag is used. The utility creates a directory with umask-derived permissions (typically 0755) and then changes them to the requested mode using a separate chmod system call. In multi-user environments, this creates a brief window where a directory intended to be private remains accessible to other users, which could lead to unauthorized data access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A Time-of-Check to Time-of-Use (TOCTOU) issue exists in the mv utility during cross-device moves. The logic for preserving extended attributes (xattr) relies on multiple path-based system calls that perform new path-to-inode lookups for every operation. A local attacker with write access to the directory can exploit this race condition to swap files between calls, resulting in the destination file receiving an inconsistent mix of security xattrs, such as file capabilities or SELinux labels. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The install utility contains a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. This occurs because the implementation unlinks an existing destination file and recreates it using a path-based operation without the `O EXCL` flag. A local attacker can exploit the timing window between the unlink and creation to replace the path with a symbolic link, enabling the redirection of privileged writes to overwrite arbitrary system files. TOCTOU is a software bug where the state of a resource changes between the time it is checked and the time it is used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A Time-of-Check to Time-of-Use (TOCTOU) issue exists in the install utility when using the '-D' flag. The command creates parent directories and then performs a second path resolution to create the target file, without anchoring either process to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location. TOCTOU is a race condition where a system resource is modified between the time it is checked and the time it is used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** The cp utility is subject to an information disclosure race condition. Destination files are initially created using permissions derived from the umask (for example, 0644) before the process restricts them to their final mode (for example, 0600). A local attacker can exploit this timing window to open the file; the resulting file descriptor remains valid and readable even after permissions are tightened, allowing access to sensitive or private content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uutils coreutils (affected versions not specified) **Description** A flaw in the chmod utility allows users to bypass the --preserve-root safety mechanism. The implementation validates if the target path is literally '/', but fails to canonicalize the path. This allows the use of path variants such as '/../' or symbolic links to perform destructive recursive operations, such as 'chmod -R 000', on the entire root filesystem, which can result in system-wide permission loss and complete system breakdown. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.