PT-2018-6614 · Gnu+2 · Gnu Coreutils+2

Michael Orlitzky

Published

2018-01-04

Updated

2019-01-08

CVE-2017-18018

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions: GNU Coreutils versions prior to 8.30

Description: The issue allows local users to modify the ownership of arbitrary files by leveraging a race condition when using the POSIX "-R -L" options in chown and chgrp. This occurs because chown-core.c does not prevent replacement of a plain file with a symlink.

Recommendations: For GNU Coreutils versions prior to 8.30, update to version 8.30 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the POSIX "-R -L" options in chown and chgrp until the update is applied.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

ALT-PU-2018-2970

CVE-2017-18018

ECHO-4077-4868-610E

MGASA-2019-0022

Affected Products

Alt Linux

Debian

Gnu Coreutils

PT-2018-6614 · Gnu+2 · Gnu Coreutils+2

CVE-2017-18018

Weakness Enumeration

Related Identifiers

Affected Products

References · 24