Coreutils: heap buffer under-read in gnu coreutils sort via key specification
Summary
A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. Affected products named by the advisory: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 9; Red Hat Discovery 2; Red Hat Insights proxy 1.5; and 3 more. Affected products named by the advisory: Red Hat OpenShift distributed tracing 3.10.1; Red Hat Enterprise Linux 8; Red Hat OpenShift Container Platform 4.
What this means
In plain English
A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. Affected products named by the advisory: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 9; Red Hat Discovery 2; Red Hat Insights proxy 1.5; and 3 more. Affected products named by the advisory: Red Hat OpenShift distributed tracing 3.10.1; Red Hat Enterprise Linux 8; Red Hat OpenShift Container Platform 4.
Recommended action
Primary action: update to a vendor-listed fixed release: 9.8.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- 7.2 before 9.8
Official advisory · high-confidence parse· fetched 3 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 9.8. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 3 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.