Source: rust-coreutils X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for rust-coreutils. CVE-2026-35351[0]: | The mv utility in uutils coreutils fails to preserve file ownership | during moves across different filesystem boundaries. The utility | falls back to a copy-and-delete routine that creates the destination | file using the caller's UID/GID rather than the source's metadata. | This flaw breaks backups and migrations, causing files moved by a | privileged user (e.g., root) to become root-owned unexpectedly, | which can lead to information disclosure or restricted access for | the intended owners. https://github.com/uutils/coreutils/issues/9714 https://github.com/uutils/coreutils/pull/11706 Fixed by: https://github.com/uutils/coreutils/commit/874efa7cc3361cb5af2a97db869147f910bcab44 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-35351 https://www.cve.org/CVERecord?id=CVE-2026-35351 Please adjust the affected versions in the BTS as needed.
