Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Jan 2024 09:40:50 +0100
From: Valentin Metz <>
Subject: GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow

I have discovered a vulnerability in the GNU coreutils "split" program.
Specifically, it concerns a heap overflow with user-controlled data of 
multiple hundred bytes in length.
It was introduced in 40bf1591bb4362fa91e501bcec7c2029c5f65a43 on 
2023-03-04. |

Relevant diff:
@@ -816,15 +820,10 @@
            /* Update hold if needed.  */
            if ((eoc && split_rest) || (!eoc && n_left))
-              size_t n_buf = eoc ? split_rest : n_left;
+              idx_t n_buf = eoc ? split_rest : n_left;
                if (hold_size - n_hold < n_buf)
-                {
-                  if (hold_size <= SIZE_MAX - bufsize)
-                    hold_size += bufsize;
-                  else
-                    xalloc_die ();
-                  hold = xrealloc (hold, hold_size);
-                }
+                hold = xpalloc (hold, &hold_size, n_buf - (hold_size - 
+                                -1, sizeof *hold);
                memcpy (hold + n_hold, sob, n_buf);
                n_hold += n_buf;
                n_left -= n_buf;

This allowed the "hold" buffer to overflow in the memcpy() of line 827 
(right below the marked diff).

The GNU coreutils maintainers have been informed, and a fix was deployed 
today with c4c5ed8f4e9cd55a12966d4f520e3a13101637d9. |

A proof-of-concept file to trigger the crash is available under
You can use it to trigger a segmentation fault (SIGABRT) in split, using 
"split -C 1024 ./split_me".
A detailed writeup will follow once distro maintainers have had some 
time to distribute a fix.
A CVE-ID is yet to be assigned.

With excellent regards,
Valentin Metz

Download attachment "OpenPGP_0x1E1CC59A3E0AC2FF.asc" of type "application/pgp-keys" (653 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.