See https://www.openwall.com/lists/oss-security/2024/01/18/2. Patch at https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=c4c5ed8f4e9cd55a12966d4f520e3a13101637d9. """ A proof-of-concept file to trigger the crash is available under https://github.com/Valentin-Metz/writeup_split/blob/main/split_me You can use it to trigger a segmentation fault (SIGABRT) in split, using "split -C 1024 ./split_me". A detailed writeup will follow once distro maintainers have had some time to distribute a fix. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f00b339a42285e269063b7cdecb9d5e726ee2bf7 commit f00b339a42285e269063b7cdecb9d5e726ee2bf7 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-01-30 20:22:06 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-30 20:49:09 +0000 sys-apps/coreutils: patch CVE-2024-0684 Bug: https://bugs.gentoo.org/922474 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/coreutils/coreutils-9.4-r1.ebuild | 273 +++++++++++++++++++++ .../files/coreutils-9.4-CVE-2024-0684.patch | 31 +++ 2 files changed, 304 insertions(+)
I'm avoiding cleaning up 8.32 (still!) because of all the ZFS bugs with CoW, as it's been useful for people to be able to downgrade to it. But 9.4 can go.