Skip to content

Commit a5f9a98

Browse files
1 parent b496046 commit a5f9a98

2 files changed

Lines changed: 80 additions & 6 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-vp6q-mv9j-j428/GHSA-vp6q-mv9j-j428.json

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-vp6q-mv9j-j428",
4-
"modified": "2026-04-29T22:50:01Z",
4+
"modified": "2026-07-06T19:27:28Z",
55
"published": "2026-04-22T18:31:44Z",
6-
"aliases": [
7-
"CVE-2026-35339"
8-
],
9-
"summary": "uutils coreutils incorrectly handles exit codes when processing multiple files",
10-
"details": "The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.",
6+
"withdrawn": "2026-07-06T19:27:28Z",
7+
"aliases": [],
8+
"summary": "Duplicate Advisory: uutils coreutils incorrectly handles exit codes when processing multiple files",
9+
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4x34-chg5-mwjj. This link is maintained to preserve external references.\n\n### Original Description\nThe recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.",
1110
"severity": [
1211
{
1312
"type": "CVSS_V3",
Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4x34-chg5-mwjj",
4+
"modified": "2026-07-06T19:27:41Z",
5+
"published": "2026-07-06T19:27:41Z",
6+
"aliases": [
7+
"CVE-2026-35339"
8+
],
9+
"summary": "chmod: recursive mode returns exit code 0 even when some files fail (last-file-wins)",
10+
"details": "In `Chmoder::chmod()` the recursive branch overwrites the running result instead of accumulating it, so the exit code reflects only the *last* file processed:\n\n```\nif self.recursive {\n r = self.walk_dir_with_context(file, true); // overwrites r\n} else {\n r = self.chmod_file(file).and(r);\n}\n```\n\n**PoC:** GNU returns 1 when a file fails; uutils returns 0 if the last entry succeeds:\n\n```\n$ chmod -R 0755 chmod-bug/root chmod-bug/user # GNU -> ret=1\n$ uutils chmod -R 0755 chmod-bug/root chmod-bug/user # -> ret=0\n```\n\n**Impact:** scripts relying on the exit code get a false success signal while some files retained restrictive/unexpected permissions, leading to access-control misconfigurations. Recommendation: accumulate errors during traversal.\n\n**Remediation:** Acknowledged by Canonical; fixed in commit abd581f6.\n\n---\n_Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`. Finding 3.2. Credit: Zellic._",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "uu_chmod"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.6.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/uutils/coreutils/security/advisories/GHSA-4x34-chg5-mwjj"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35339"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/uutils/coreutils/pull/9793"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/uutils/coreutils/commit/abd581f62e97d0b147306ac40eac13af71c6fbba"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/uutils/coreutils"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0"
62+
}
63+
],
64+
"database_specific": {
65+
"cwe_ids": [
66+
"CWE-252",
67+
"CWE-253",
68+
"CWE-755"
69+
],
70+
"severity": "MODERATE",
71+
"github_reviewed": true,
72+
"github_reviewed_at": "2026-07-06T19:27:41Z",
73+
"nvd_published_at": null
74+
}
75+
}

0 commit comments

Comments
 (0)