Source: coreutils
Version: 9.4-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for coreutils.
CVE-2024-0684[0]:
| heap overflow in split --line-bytes with very long lines
Note, the severity is choosen as such to make sure the fix lands in
trixie, but is slight overrated. If you feel strong on it feel free to
downgrade.
The issue can be reproduced with:
{ printf '%131070s\n' ''; printf 'x\n'; printf '%131071s\n' ''; } > in
split -C 131072 ---io=131072 in
and only affects trixie and unstable version of split.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-0684
https://www.cve.org/CVERecord?id=CVE-2024-0684
[1] https://www.openwall.com/lists/oss-security/2024/01/18/2
Regards,
Salvatore
