Note that bug 714934 did affect coreutils. 1) CVE-2017-7476 URL: https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9287ef2b1707e2a222f8ae776ce3785abcb16fba Status: Fixed in coreutils 8.28, out of tree now. 2) CVE-2018-17942 Description: "The convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing." URL: https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9c3730e601b72b4478e81d3c75e06ede4cfd93bc This is the first sync w/ gnulib after the fix, looks like first release after this was 8.31. URL: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4ZP6L5HXDOVKYTM5ELLYE64H75MT4LZR/ So it looks like this might indeed affect coreutils < 8.31.
I can't see why Fedora patched this, actually.