See https://www.openwall.com/lists/oss-security/2024/01/18/2. Patch at https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=c4c5ed8f4e9cd55a12966d4f520e3a13101637d9. """ A proof-of-concept file to trigger the crash is available under https://github.com/Valentin-Metz/writeup_split/blob/main/split_me You can use it to trigger a segmentation fault (SIGABRT) in split, using "split -C 1024 ./split_me". A detailed writeup will follow once distro maintainers have had some time to distribute a fix. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f00b339a42285e269063b7cdecb9d5e726ee2bf7 commit f00b339a42285e269063b7cdecb9d5e726ee2bf7 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-01-30 20:22:06 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-30 20:49:09 +0000 sys-apps/coreutils: patch CVE-2024-0684 Bug: https://bugs.gentoo.org/922474 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/coreutils/coreutils-9.4-r1.ebuild | 273 +++++++++++++++++++++ .../files/coreutils-9.4-CVE-2024-0684.patch | 31 +++ 2 files changed, 304 insertions(+)
I'm avoiding cleaning up 8.32 (still!) because of all the ZFS bugs with CoW, as it's been useful for people to be able to downgrade to it. But 9.4 can go.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=6ab4754bb6c685d3bd793af39057d27c264bae97 commit 6ab4754bb6c685d3bd793af39057d27c264bae97 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-05 09:26:36 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-07-05 09:29:38 +0000 [ GLSA 202407-16 ] GNU Coreutils: Buffer Overflow Vulnerability Bug: https://bugs.gentoo.org/922474 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202407-16.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)