uutils coreutils comm Utility Data Loss Vulnerability via Non-Regular File Inputs

A vulnerability in the comm utility of uutils coreutils version 0.6.0 has been identified, where the utility improperly handles data from non-regular file inputs before performing comparison operations. The issue arises because the are_files_identical function reads from both input paths to compare contents without first checking if the paths refer to regular files. This oversight can lead to silent data loss, especially if the input is a FIFO or a pipe, as the pre-read operation drains the stream. Additionally, the utility may hang indefinitely when pre-reading from infinite streams like /dev/zero.

Impact

This vulnerability can cause unintended data loss by prematurely consuming input from pipes or FIFOs, leading to incomplete comparisons. Furthermore, the utility may become unresponsive if it reads from infinite streams.

Reproduction

The vulnerability can be reproduced by using the comm utility with one or both input files set to non-regular file types, such as FIFOs or pipes. This can be done by creating a FIFO using the mkfifo command or by using a pipe in a shell command. When comm attempts to compare the files, it will first read the contents of the pipes or FIFOs, draining them before the comparison is made. If an infinite stream like /dev/zero' is used, comm will hang indefinitely.

Remediation

Users can update to uutils coreutils version 0.6.0, which includes a fix for this issue. The updated version can be downloaded from the uutils coreutils GitHub releases page.