SB2018081632 - Race condition in coreutils (Alpine package)
Published: August 16, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Race condition (CVE-ID: CVE-2017-18018)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local authenticated user to manipulate data.
In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=9d7cab77e911bba47d621d0a3560e5f8526df1bc
- https://git.alpinelinux.org/aports/commit/?id=af7395aaa3100fd61a9d94b1f0e159eebc46255f
- https://git.alpinelinux.org/aports/commit/?id=c5f39cc751f15865dfe6a004f5861679c0fc3571
- https://git.alpinelinux.org/aports/commit/?id=2e1d0e8a8958d2fddd9e9fa9fe10de0622b01348