Add CVE-2017-18018/coreutils
This item should probably be marked as unimportant. https://lists.gnu.org/archive/html/coreutils/2017-12/msg00071.html > On 12/28/2017 04:36 PM, Michael Orlitzky wrote: > > Does anyone mind if I reserve a CVE for this? > > > Of course not - but I doubt that we can do much about it: > the chown(1) binary is just a wrapper around chown(2)/lchown(2), > so whatever (other) utility uses these system calls in a recursive > way will be prone to that trap. > > I think the best way to handle this is to keep teaching sysadmins > to avoid the --dereference option together with -R; usually > "chown -R" with the default -P is probably good enough. > > It would probably be good to add a clarifying sentence to the Texinfo > documentation. Would you like to propose a sentence? Will just be fixed by clarifying documentation about security risk.
Loading
Please register or sign in to comment