uutils coreutils sort Utility Process Panic Vulnerability with Non-UTF-8 Filenames
Vulnerability
A vulnerability in the sort utility of uutils coreutils can lead to a process panic when the --files0-from option is used with inputs containing non-UTF-8 filenames. The utility enforces UTF-8 encoding and, upon encountering valid but non-UTF-8 paths, crashes immediately. This behavior contrasts with GNU sort, which treats filenames as raw bytes. A local attacker can exploit this vulnerability to cause the utility to crash, disrupting automated workflows.
Impact
Exploitation of this vulnerability causes the sort utility to crash, creating compatibility issues with automated processes that rely on the utility.
Reproduction
The vulnerability can be reproduced by writing a NUL-separated filename containing non-UTF-8 bytes, such as a filename with a hexadecimal value of FF, into a file. Then, use the --files0-from option to sort the file list. uutils coreutils will panic and crash, while GNU coreutils will process the file correctly.
Remediation
Users can update to the latest version of uutils coreutils, where this issue has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.