Hi,
Securin Disclose via GNU coreutils Bug Reports <[email protected]>
> We have identified a **Format String + Stack Buffer Overflow** vulnerability
> in
> **coreutils-printf**.
>
> **CWE-121** | **CVSS 9.8 (Critical)** | **Remote Code Execution**
>
> ### Description
>
> User-controlled input reaches a dangerous sink without sanitization, enabling
> memory corruption and arbitrary code execution.
> Confirmed via AddressSanitizer: `ERROR: AddressSanitizer:
> stack-buffer-overflow`.
Do you have an example invocation of 'printf' that would cause
AddressSanitizer to fail?
> ### Affected Location
>
> | | |
> |---|---|
> | **File** | `src/printf.c` |
> | **Line** | `511` |
> | **Function** | `print_formatted()` |
> | **Source** | `argv[optind]` |
> | **Sink** | `printf(spec, argv[i])` |
That file does not use optind, as can be seen with the following
command:
$ grep -F optind src/printf.c
> | **Impact** | Remote Code Execution |
I think more evidence is needed before making this claim.
> ### Recommended Fix
> - In `src/printf.c` function `print_formatted()`: replace `printf(spec,
> argv[i])` with `printf("%s", ...)` — never pass user input as format string.
But the entire point of the 'printf' program is to take user input as
the format string.
> - In `src/printf.c` function `print_formatted()`: replace `sprintf(buf, ...)`
> with `snprintf(buf, sizeof(buf), ...)` — bound all copies to buffer size.
That file does not use sprintf, as can be seen with the following command:
$ grep -F sprintf src/printf.c
> - Add `-Wformat -Wformat-security -Werror=format-security` to CFLAGS.
> - Enable ASAN in CI builds: `-fsanitize=address,undefined` to catch
> regressions.
> - Compile with `-fstack-protector-strong -D_FORTIFY_SOURCE=2`.
>
> ### Disclosure
> - **Discovered:** 2026-04-10
Given the issues mentioned previously, the "Coordinated Disclosure"
being sent to a public list, and the markdown formatting, I suspect that
this mail is an LLM hallucination.
Collin
