{"id":"MGASA-2019-0022","summary":"Updated coreutils packages fix security vulnerabilities","details":"A flaw was found in GNU Coreutils through 8.29 in chown-core.c. The\nfunctions chown and chgrp do not prevent replacement of a plain file\nwith a symlink during use of the POSIX \"-R -L\" options, which allows\nlocal users to modify the ownership of arbitrary files by leveraging a\nrace condition (CVE-2017-18018).\n\nA flaw was found in Gnulib before 2018-09-23. The convert_to_decimal\nfunction in vasnprintf.c has a heap-based buffer overflow because memory\nis not allocated for a trailing '\\0' character during %f processing\n(CVE-2018-17942).\n","modified":"2026-01-31T02:21:23.999150Z","published":"2019-01-08T21:50:23Z","related":["CVE-2017-18018","CVE-2018-17942"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0022.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23825"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JK2ISMPYUEU3JS3L7AVXEHWCI56INCJJ/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4ZP6L5HXDOVKYTM5ELLYE64H75MT4LZR/"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22495"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23825"}],"affected":[{"package":{"name":"coreutils","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/coreutils?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.25-3.1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0022.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}