[Pkg-rust-maintainers] Bug#1135992: rust-coreutils: CVE-2026-35341
Moritz Mühlenhoff
jmm at inutil.org
Fri May 8 14:05:20 BST 2026
Source: rust-coreutils
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-coreutils.
CVE-2026-35341[0]:
| A vulnerability in uutils coreutils mkfifo allows for the
| unauthorized modification of permissions on existing files. When
| mkfifo fails to create a FIFO because a file already exists at the
| target path, it fails to terminate the operation for that path and
| continues to execute a follow-up set_permissions call. This results
| in the existing file's permissions being changed to the default mode
| (often 644 after umask), potentially exposing sensitive files such
| as SSH private keys to other users on the system.
https://github.com/uutils/coreutils/issues/10020
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-35341
https://www.cve.org/CVERecord?id=CVE-2026-35341
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-rust-maintainers
mailing list