Re: uutils coreutils CVEs

[Jakub Wilk <jwilk () jwilk net>]

* Collin Funk <collin.funk1 () gmail com>, 2026-05-01 18:49:
> * CVE-2026-35352
>
> We can see that uutils 'mkfifo' creates the fifo with world readable 
> and writable permissions and then uses chmod() which introduces a 
> TOCTOU race that can be exploited by another user creating a symbolic 
> link in it's place:
>
>    $ mkfifo --version
>    mkfifo (uutils coreutils) 0.8.0
>    $ strace mkfifo -m 700 /tmp/fifo
>    [...]
>    umask(000)                              = 002
>    umask(002)                              = 000
>    mknodat(AT_FDCWD, "/tmp/fifo", S_IFIFO|0666) = 0
>    chmod("/tmp/fifo", 0700)                = 0

Creating the FIFO with default permission could allow other users to 
open it before the chmod(..., 0700) call. This is indeed a 
vulnerability, but unrelated to symlinks, and it's a different issue 
than the one in the description of CVE-2026-35352:

> A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the 
> mkfifo utility of uutils coreutils. The utility creates a FIFO and then 
> performs a path-based chmod to set permissions. A local attacker with 
> write access to the parent directory can swap the newly created FIFO 
> for a symbolic link between these two operations.

Note that this attack doesn't work in /tmp, because the sticky bit 
prevents the attacker from deleting or renaming other users' files. The 
victim would have to do something like "mkfifo /home/mallory/fifo". So, 
uh, don't do that?

It's questionable if this is a vulnerability at all.

--
Jakub Wilk