<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:uutils:coreutils:-:*:*:*:*:Rust:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3auutilscoreutils-rust/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:56:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3auutilscoreutils-rust/feed.xml" rel="self" type="application/rss+xml"/><item><title>mkfifo: permissions of an existing file are changed after FIFO creation fails</title><link>https://feed.craftedsignal.io/briefs/2026-07-mkfifo-permission-relax/</link><pubDate>Mon, 06 Jul 2026 21:56:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mkfifo-permission-relax/</guid><description>A vulnerability (CVE-2026-35341) exists in the `uu_mkfifo` utility of `uutils coreutils`, affecting versions prior to 0.6.0. When `mkfifo()` fails because the target file already exists, the utility incorrectly proceeds to modify the permissions of the pre-existing file to `0644`. This can inadvertently relax permissions on sensitive owner-only files, such as SSH private keys, making them accessible to other users on the system and potentially enabling unauthorized access or information disclosure. The issue has been patched in PR #10376.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-35341) has been identified in <code>uu_mkfifo</code>, a utility within <code>uutils coreutils</code>, affecting all versions prior to 0.6.0. The flaw, reported by Zellic during a security assessment for Canonical, occurs when <code>mkfifo()</code> is invoked on a path that already exists as a regular file. Instead of simply reporting an error and exiting, the <code>uu_mkfifo</code> utility inadvertently proceeds to call <code>fs::set_permissions</code> on the pre-existing file. This action modifies the file's permissions to the default FIFO mode (typically <code>0644</code>), effectively relaxing previously strict access controls. This vulnerability enables an attacker with local access to inadvertently or maliciously expose sensitive, owner-only files, such as SSH private keys, to other users on the system, leading to unauthorized information disclosure and potential privilege escalation. The issue has been acknowledged and a fix implemented in PR #10376.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains local access to a Linux system running an affected version of <code>uutils coreutils</code> (<code>uu_mkfifo</code> &lt; 0.6.0).</li>
<li>The attacker identifies a sensitive file with highly restricted permissions, such as an SSH private key (<code>~/.ssh/id_rsa</code>), which is typically set to <code>0600</code> or <code>0400</code>.</li>
<li>The attacker attempts to create a FIFO (named pipe) using the vulnerable <code>uu_mkfifo</code> utility, specifying the path of the sensitive file as the target (e.g., <code>uu_mkfifo ~/.ssh/id_rsa</code>).</li>
<li>The <code>mkfifo()</code> system call invoked by <code>uu_mkfifo</code> fails because a file with the specified name (<code>~/.ssh/id_rsa</code>) already exists.</li>
<li>Due to a logical error (missing <code>continue;</code> statement after the error handling), <code>uu_mkfifo</code> incorrectly proceeds to invoke <code>fs::set_permissions</code> on the existing sensitive file.</li>
<li>The file's permissions are subsequently changed from their strict original setting (e.g., <code>0600</code>) to the default FIFO creation permissions (e.g., <code>0644</code>).</li>
<li>The sensitive file, now with relaxed permissions, becomes readable by other unprivileged users on the system.</li>
<li>Other users or processes can now read the contents of the sensitive file (e.g., the SSH private key), leading to unauthorized information disclosure or further credential compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-35341 can lead to significant information disclosure and potential privilege escalation on affected Linux systems. An attacker, or even an unsuspecting user, can inadvertently relax file permissions on critical owner-only files, such as SSH private keys, API keys, or configuration files containing credentials. If these files are exposed, unauthorized users could read their contents, enabling lateral movement within the network, unauthorized access to systems, or further credential harvesting. While no specific victim count or targeted sectors have been reported for active exploitation, the coreutils package is fundamental, making a wide range of Linux environments potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch <code>uutils coreutils</code> to version 0.6.0 or later to remediate CVE-2026-35341.</li>
<li>Implement file integrity monitoring (FIM) for sensitive files (e.g., SSH keys, <code>/etc/shadow</code>, API keys) to detect unexpected permission changes, which may be logged via <code>file_event</code> category logs.</li>
<li>Review process creation logs for <code>uu_mkfifo</code> executions (<code>process_creation</code> category) targeting existing sensitive files and investigate any subsequent unauthorized permission modifications.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>vulnerability</category><category>linux</category><category>coreutils</category><category>permissions</category><category>information-disclosure</category><category>privilege-escalation</category></item></channel></rss>