uutils coreutils rm Trailing Slash Path Vulnerability Leading to Unintended Recursive Deletion

A vulnerability in the rm command of uutils coreutils allows users to bypass safeguards that protect the current directory from deletion. While the command normally refuses to delete the current or parent directory, it fails to recognize equivalent paths with trailing slashes, such as './' or './//'. This oversight can lead to accidental or malicious deletion of all files in the current directory. The issue is compounded by a misleading error message that may cause users to overlook the data loss.

Impact

The vulnerability allows for silent, recursive deletion of all contents in the current directory, with the rm command erroneously reporting an 'Invalid input' error, which can obscure the data loss.

Reproduction

The vulnerability can be reproduced by executing the command 'rm -rf ./' or 'rm -rf .///' in a directory. Despite the command's error message indicating a failure to delete, all contents of the directory will have been removed.

Remediation

Users can update to the latest version of uutils coreutils, where this vulnerability has been addressed.