34313 – coreutils new security issue CVE-2025-5278

Bug 34313 - coreutils new security issue CVE-2025-5278

Summary: coreutils new security issue CVE-2025-5278

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-05-28 10:33 CEST by Nicolas Salguero
Modified:	2025-05-31 05:36 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	coreutils-9.1-1.mga9.src.rpm
CVE:	CVE-2025-5278
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-05-28 10:33:32 CEST

CVE-2025-5278 was announced here:
https://www.openwall.com/lists/oss-security/2025/05/27/2

Comment 1 Nicolas Salguero 2025-05-28 10:34:39 CEST

Upstream fix: https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633

Status comment: (none) => Patch available from upstream
Source RPM: (none) => coreutils-9.5-3.mga10.src.rpm, coreutils-9.1-1.mga9.src.rpm
CVE: (none) => CVE-2025-5278
Whiteboard: (none) => MGA9TOO

Comment 2 Nicolas Salguero 2025-05-28 16:46:18 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap buffer under-read in gnu coreutils sort via key specification. (CVE-2025-5278)

References:
https://www.openwall.com/lists/oss-security/2025/05/27/2
========================

Updated packages in core/updates_testing:
========================
coreutils-9.1-1.1.mga9
coreutils-doc-9.1-1.1.mga9

from SRPM:
coreutils-9.1-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Status comment: Patch available from upstream => (none)
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: coreutils-9.5-3.mga10.src.rpm, coreutils-9.1-1.mga9.src.rpm => coreutils-9.1-1.mga9.src.rpm

katnatek 2025-05-28 21:23:32 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2025-05-28 22:26:51 CEST

RH x86_64

installing coreutils-9.1-1.1.mga9.x86_64.rpm coreutils-doc-9.1-1.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: coreutils             ##################################################################################################
      2/2: coreutils-doc         ##################################################################################################
      1/2: removing coreutils-doc-9.1-1.mga9.noarch
                                 ##################################################################################################
      2/2: removing coreutils-9.1-1.mga9.x86_64
                                 ##################################################################################################

Reference: bug#23825 comment#4

Tested commands basename, cat, date, df, id, hostid, uname,users,whoami, mkdir, rmdir

Looks good for me

Comment 4 Herman Viaene 2025-05-29 14:57:38 CEST

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues:
Same ref as above:
$ basename /usr/bin/sort
sort

$ cat > test.txt  
testing
^D
Checked the file in dolphin
$ date
Thu 29 May 2025 14:44:20 CEST

$ df
Filesystem                                   Size  Used Avail Use% Mounted on
devtmpfs                                     3.6G     0  3.6G   0% /dev
tmpfs                                        3.7G  1.1M  3.7G   1% /dev/shm
tmpfs                                        3.7G  1.4M  3.7G   1% /run
/dev/sda5                                     79G   26G   49G  35% /
efivarfs                                      84K   37K   43K  47% /sys/firmware/efi/efivars
tmpfs                                        3.7G  8.0K  3.7G   1% /tmp
/dev/sda2                                    311M  320K  311M   1% /boot/EFI
/dev/sda4                                    242G   13G  230G   6% /home
mach1.hviaene.thuis:/beelden                 442G  230G  189G  55% /mnt/beelden
mach1.hviaene.thuis:/video2                  1.3T  740G  452G  63% /mnt/video2
mach1.hviaene.thuis:/home/herman/Documenten  580G  359G  222G  62% /mnt/Documenten
tmpfs                                        739M  176K  739M   1% /run/user/1000

$ id
uid=1000(tester9) gid=1000(tester9) groups=1000(tester9)

$ hostid
a8c00302

$ uname -a
Linux mach3.hviaene.thuis 6.6.92-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu May 22 
$ users
tester9 tester9

$ whoami
tester9

$ mkdir zzzz

$ ls
 bin/       Documents/   Mail/        Music/      projects/     Templates/       testsvn/   thinclient_drives/   Videos/
 Desktop/   Downloads/   Mailclaws/   Pictures/   qa-testing/  'test34012.db;'   test.txt   tmp/                 zzzz/

$ rmdir zzzz

$ ls
 bin/       Documents/   Mail/        Music/      projects/     Templates/       testsvn/   thinclient_drives/   Videos/
 Desktop/   Downloads/   Mailclaws/   Pictures/   qa-testing/  'test34012.db;'   test.txt   tmp/

All lookls OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2025-05-30 14:20:54 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2025-05-31 05:36:56 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0172.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.