uutils coreutils rm Utility --preserve-root Bypass Vulnerability

A vulnerability exists in the rm utility of uutils coreutils, allowing users to bypass the --preserve-root safeguard. This issue affects uutils coreutils versions prior to 0.7.0. The vulnerability arises because the implementation checks the path string instead of comparing device and inode numbers to identify the root directory. As a result, an attacker or accidental user can exploit this by using a symbolic link that points to the root directory, potentially leading to the recursive deletion of the entire root filesystem.

Impact

Exploitation of this vulnerability could result in the unintended recursive deletion of the entire root filesystem.

Reproduction

To reproduce this vulnerability, create a symbolic link that points to the root directory. Then, use the rm command with the --preserve-root option. The command will incorrectly allow the deletion of files, bypassing the intended protection.

Remediation

Users can update to uutils coreutils version 0.7.0 or later, where this vulnerability has been fixed.