uutils coreutils tr Utility Logic Error Vulnerability in Character Class Definitions

A logic error has been identified in the tr utility of uutils coreutils, specifically in version 0.8.0. This error causes the program to misinterpret the [:graph:] and [:print:] character classes. The implementation erroneously includes the ASCII space character in the [:graph:] class while excluding it from the [:print:] class, thereby reversing the standard behavior defined by POSIX and GNU coreutils. As a result, when the utility is used in automated scripts or data-cleaning processes that depend on conventional character class meanings, it can lead to unintended data modification or loss. For instance, a command intended to remove all graphical characters while keeping whitespace will mistakenly delete all ASCII spaces, potentially causing data corruption or logical errors in subsequent processing.

Impact

Exploitation of this vulnerability can result in unintended data modification or loss, particularly in automated scripts or data-cleaning workflows that rely on standard character class definitions.

Reproduction

The vulnerability can be reproduced by using the tr utility in a data-cleaning pipeline or an automated script that relies on the standard POSIX character class definitions. The incorrect handling of the ASCII space character can be observed when a command is executed to remove graphical characters while intending to preserve whitespace, as all ASCII spaces will be deleted instead.

Remediation

Users can update to uutils coreutils version 0.8.1 or later, where this issue has been fixed.