uutils coreutils Chmod Utility Incorrect Exit Code Handling Vulnerability

A vulnerability exists in the recursive mode of the chmod utility within uutils coreutils, specifically in version 0.6.0. The issue arises because the utility improperly manages exit codes when applying changes to multiple files. The final exit code reflects only the last file processed, potentially masking errors encountered with previous files, such as 'Operation not permitted'. This mismanagement can lead to scripts erroneously assuming successful execution while sensitive files may retain incorrect or overly restrictive permissions.

Impact

This vulnerability can cause scripts to proceed under the false impression of success, while sensitive files remain with incorrect or overly restrictive permissions.

Reproduction

To reproduce this vulnerability, use the chmod command with the recursive option (-R) to change permissions on multiple files. After the command executes, check the exit code. The exit code will be 0 (indicating success) even if errors were encountered on previous files, such as 'Operation not permitted'. This can be verified by attempting to change permissions on a file where the operation is not allowed, and observing that the command still returns a success exit code.

Remediation

Users can manually check the exit codes when using chmod in recursive mode, or update to a version of uutils coreutils where this issue is fixed.