uutils coreutils Split Utility Logic Error Vulnerability Leading to Output Filename Corruption
Vulnerability
A logic error has been identified in the split utility of uutils coreutils, specifically in version 0.8.0. This vulnerability causes output filenames to become corrupted when non-UTF-8 prefix or suffix inputs are used. The issue arises because the implementation relies on to_string_lossy() to construct chunk filenames, which alters invalid byte sequences into the UTF-8 replacement character. This behavior is inconsistent with GNU split, which maintains the integrity of raw pathname bytes. In non-UTF-8 encoding environments, this vulnerability can result in incorrect file names, potentially leading to filename collisions, disrupted automation, or misdirected output data.
Impact
Exploitation of this vulnerability causes output files to be created with incorrect names, leading to potential filename collisions, broken automation, or misdirection of output data.
Remediation
Users can upgrade to uutils coreutils version 0.8.0 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.