CVE-2017-18018
Published: 4 January 2018
In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
Notes
| Author | Note |
|---|---|
| ccdm94 | It seems like this will not be fixed upstream (due to the nature of the chown and chgrp utilities), the available patch being a documentation change to warn users about insecure software behavior when certain options are used together in chown and chgrp. For this reason, we will not be fixing this issue in releases where it would be needed. These will be marked as ignored. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
coreutils Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Ignored
(documentation patch only)
|
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(8.30-3ubuntu2)
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Not vulnerable
(8.32-4ubuntu2)
|
|
| jammy |
Not vulnerable
(8.32-4ubuntu3)
|
|
| trusty |
Ignored
(documentation patch only)
|
|
| upstream |
Ignored
|
|
| xenial |
Ignored
(documentation patch only)
|
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.7 |
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
References
- http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html
- http://www.openwall.com/lists/oss-security/2018/01/04/3
- https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html
- https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html
- https://www.cve.org/CVERecord?id=CVE-2017-18018
- NVD
- Launchpad
- Debian