uutils coreutils sort Local Denial of Service via Forced UTF-8 Parsing

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

未捕获的异常

uutils coreutils 安全漏洞

uutils coreutils是Uutils开源的一个跨平台核心命令行工具集。 uutils coreutils存在安全漏洞，该漏洞源于sort实用程序在使用--files0-from选项处理包含非UTF-8文件名的输入时容易发生进程崩溃，实现强制UTF-8编码并使用expect，在遇到有效但非UTF-8路径时立即崩溃，这与将文件名视为原始字节的GNU sort不同，本地攻击者可利用此漏洞崩溃实用程序并破坏自动化管道。

N/A

N/A