oss-sec mailing list archives

Re: uutils coreutils CVEs

From: Jan Schaumann <jschauma () netmeister org>
Date: Sat, 2 May 2026 10:01:00 -0400

Collin Funk <collin.funk1 () gmail com> wrote:

We can see that uutils 'mkfifo' creates the fifo with world readable and
writable permissions and then uses chmod()

    umask(000)                              = 002
    umask(002)                              = 000
    mknodat(AT_FDCWD, "/tmp/fifo", S_IFIFO|0666) = 0


Minor difference, and not disputing the race condition
here, but doesn't this initially yield a fifo with
mode 664, not 666 due to the umask(002) right before?

Ie., not _world_ writable (although _group_ writable),
even prior to chmod(2).

-Jan

Current thread:

uutils coreutils CVEs Collin Funk (May 02)
- Re: uutils coreutils CVEs Jan Schaumann (May 02)
- Re: uutils coreutils CVEs Jakub Wilk (May 04)
  - Re: uutils coreutils CVEs cyber security (May 04)
  - Re: uutils coreutils CVEs Eli Schwartz (May 04)
- <Possible follow-ups>
- Re: uutils coreutils CVEs Collin Funk (May 02)