Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in the sort utility of uutils coreutils when using the --files0-from option with inputs that contain non-UTF-8 filenames. The utility enforces UTF-8 encoding and uses expect(), which causes it to immediately crash if it encounters valid filenames that are not UTF-8 encoded. This behavior differs from GNU sort, which treats filenames as raw bytes and does not crash.

Useful 0 Not Useful 0

Impact Analysis

A local attacker can exploit this vulnerability to cause the sort utility to crash, leading to a process panic. This can disrupt automated pipelines or workflows that rely on the sort utility, potentially causing denial of service or interruption of normal operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the behavior of the uutils/coreutils sort utility when using the --files0-from option with files containing non-UTF-8 encoded filenames.

A practical detection method is to create a file with a filename containing non-UTF-8 byte sequences (for example, a byte 0xFF) and then run the command:

• sort --files0-from=<file_with_non_utf8_filenames>

If the utility panics with a UTF-8 parsing error (such as a Utf8Error) and crashes, this indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, avoid using the `--files0-from` option with the uutils/coreutils sort utility on inputs that may contain non-UTF-8 encoded filenames.

Alternatively, use the GNU coreutils version of sort, which handles non-UTF-8 filenames as raw byte sequences and does not crash on such inputs.

These steps help prevent the utility from crashing due to UTF-8 parsing errors and maintain the stability of automated pipelines.

Useful 0 Not Useful 0