SB2018081632 - Race condition in coreutils (Alpine package)
Published: August 16, 2018
Security Bulletin ID
SB2018081632
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Race condition (CVE-ID: CVE-2017-18018)
The vulnerability allows a local authenticated user to manipulate data.
In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=9d7cab77e911bba47d621d0a3560e5f8526df1bc
- https://git.alpinelinux.org/aports/commit/?id=af7395aaa3100fd61a9d94b1f0e159eebc46255f
- https://git.alpinelinux.org/aports/commit/?id=c5f39cc751f15865dfe6a004f5861679c0fc3571
- https://git.alpinelinux.org/aports/commit/?id=2e1d0e8a8958d2fddd9e9fa9fe10de0622b01348