Security Advisory Low: coreutils security, bug fix, and enhancement update

Advisory: RHSA-2013:1652-2
Type: Security Advisory
Severity: Low
Issued on: 2013-11-21
Last updated on: 2013-11-21
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-0221
CVE-2013-0222
CVE-2013-0223

Details

Updated coreutils packages that fix three security issues, several bugs,
and add two enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The coreutils package contains the core GNU utilities. It is a combination
of the old GNU fileutils, sh-utils, and textutils packages.

It was discovered that the sort, uniq, and join utilities did not properly
restrict the use of the alloca() function. An attacker could use this flaw
to crash those utilities by providing long input strings. (CVE-2013-0221,
CVE-2013-0222, CVE-2013-0223)

These updated coreutils packages include numerous bug fixes and two
enhancements. Space precludes documenting all of these changes in this
advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical
Notes, linked to in the References, for information on the most significant
of these changes.

All coreutils users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
coreutils-8.4-31.el6.src.rpm
File outdated by:  RHBA-2014:1457
    MD5: 3d44cdec4f27ad731c856bb6304aff48
SHA-256: c8b4fd38203a242ee937786bfff12606f5b6333d6572ed8dc481400294bc3d07
 
IA-32:
coreutils-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: 469b73d84eb8de54a3423455c4c2d34e
SHA-256: 178e4ae2d4ce47b9cc623028235d32f6b470f44fe6ff437f69d5c18d544e03b3
coreutils-debuginfo-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: 0102a2ec6809f91d1cd80100ac6159a4
SHA-256: 8458461c18023dff7ccc57df2fe54c3d220d4cda50d42a9c0a8b74599d1304e9
coreutils-libs-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: d652b639cf5fc668e6d844b08d262596
SHA-256: 4aad961391a8e320e90e533b7eed4f8ba4a4bc31dd7a59821a3e0884512f7509
 
x86_64:
coreutils-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 1dd285617ca843e55bef7eac94be2d4a
SHA-256: 5849ee0a8943e5f0015bf9755c81b1d0cfe44822fd4d69b8b656b69e18bfd153
coreutils-debuginfo-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 69ce2b774a0b7281c942cd1870714c68
SHA-256: 6404ed3894b2a7955af51479f828e14cc519f3e976288ab86b088e05f011be2e
coreutils-libs-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 17c191822d270b125a33a29b3773df61
SHA-256: c5128872d93845270d26a0b144c02c7f0e4db89b35bcbbaed79f42159987704b
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
coreutils-8.4-31.el6.src.rpm
File outdated by:  RHBA-2014:1457
    MD5: 3d44cdec4f27ad731c856bb6304aff48
SHA-256: c8b4fd38203a242ee937786bfff12606f5b6333d6572ed8dc481400294bc3d07
 
x86_64:
coreutils-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 1dd285617ca843e55bef7eac94be2d4a
SHA-256: 5849ee0a8943e5f0015bf9755c81b1d0cfe44822fd4d69b8b656b69e18bfd153
coreutils-debuginfo-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 69ce2b774a0b7281c942cd1870714c68
SHA-256: 6404ed3894b2a7955af51479f828e14cc519f3e976288ab86b088e05f011be2e
coreutils-libs-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 17c191822d270b125a33a29b3773df61
SHA-256: c5128872d93845270d26a0b144c02c7f0e4db89b35bcbbaed79f42159987704b
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
coreutils-8.4-31.el6.src.rpm
File outdated by:  RHBA-2014:1457
    MD5: 3d44cdec4f27ad731c856bb6304aff48
SHA-256: c8b4fd38203a242ee937786bfff12606f5b6333d6572ed8dc481400294bc3d07
 
IA-32:
coreutils-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: 469b73d84eb8de54a3423455c4c2d34e
SHA-256: 178e4ae2d4ce47b9cc623028235d32f6b470f44fe6ff437f69d5c18d544e03b3
coreutils-debuginfo-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: 0102a2ec6809f91d1cd80100ac6159a4
SHA-256: 8458461c18023dff7ccc57df2fe54c3d220d4cda50d42a9c0a8b74599d1304e9
coreutils-libs-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: d652b639cf5fc668e6d844b08d262596
SHA-256: 4aad961391a8e320e90e533b7eed4f8ba4a4bc31dd7a59821a3e0884512f7509
 
PPC:
coreutils-8.4-31.el6.ppc64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 5991d62a47ff9e3d710f445714609821
SHA-256: 199d8e2dd8c2124831420d8f10960788e8b3dc7ae6ad88eb9ebb10fc9030f030
coreutils-debuginfo-8.4-31.el6.ppc64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 75815e461ff82085de92dae9c94e4920
SHA-256: 0e973392e6659c04f1bda292d717f9dfe6d6fe35cc1149f4b11ff89fc0082ec8
coreutils-libs-8.4-31.el6.ppc64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 92766e8bc2b82f727980b02a88f30f32
SHA-256: b29b4250e65d9dfaf444a962f139b5028521213b39b11aaecab27f714c2c2157
 
s390x:
coreutils-8.4-31.el6.s390x.rpm
File outdated by:  RHBA-2014:1457
    MD5: 68132363dfa0b53874b2c99c1c64d417
SHA-256: a0f9c0af71905c4b974a0ac05f75987615368bbe8ec34bd463ecac2b1189d9cf
coreutils-debuginfo-8.4-31.el6.s390x.rpm
File outdated by:  RHBA-2014:1457
    MD5: 74b1af953203611004ddbf4bfb4c4897
SHA-256: 8fd1c509f0da28146d09087d474e0c7ec322c9da7add4d0353b1c2f9f691840d
coreutils-libs-8.4-31.el6.s390x.rpm
File outdated by:  RHBA-2014:1457
    MD5: ab91f3d428951026b478a69ea120c30f
SHA-256: 058b1c35adf80652e49ac198d95bd0311a1491bda485814ec5a8dea91ec7d7e4
 
x86_64:
coreutils-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 1dd285617ca843e55bef7eac94be2d4a
SHA-256: 5849ee0a8943e5f0015bf9755c81b1d0cfe44822fd4d69b8b656b69e18bfd153
coreutils-debuginfo-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 69ce2b774a0b7281c942cd1870714c68
SHA-256: 6404ed3894b2a7955af51479f828e14cc519f3e976288ab86b088e05f011be2e
coreutils-libs-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 17c191822d270b125a33a29b3773df61
SHA-256: c5128872d93845270d26a0b144c02c7f0e4db89b35bcbbaed79f42159987704b
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
coreutils-8.4-31.el6.src.rpm
File outdated by:  RHBA-2014:1457
    MD5: 3d44cdec4f27ad731c856bb6304aff48
SHA-256: c8b4fd38203a242ee937786bfff12606f5b6333d6572ed8dc481400294bc3d07
 
IA-32:
coreutils-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: 469b73d84eb8de54a3423455c4c2d34e
SHA-256: 178e4ae2d4ce47b9cc623028235d32f6b470f44fe6ff437f69d5c18d544e03b3
coreutils-debuginfo-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: 0102a2ec6809f91d1cd80100ac6159a4
SHA-256: 8458461c18023dff7ccc57df2fe54c3d220d4cda50d42a9c0a8b74599d1304e9
coreutils-libs-8.4-31.el6.i686.rpm
File outdated by:  RHBA-2014:1457
    MD5: d652b639cf5fc668e6d844b08d262596
SHA-256: 4aad961391a8e320e90e533b7eed4f8ba4a4bc31dd7a59821a3e0884512f7509
 
x86_64:
coreutils-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 1dd285617ca843e55bef7eac94be2d4a
SHA-256: 5849ee0a8943e5f0015bf9755c81b1d0cfe44822fd4d69b8b656b69e18bfd153
coreutils-debuginfo-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 69ce2b774a0b7281c942cd1870714c68
SHA-256: 6404ed3894b2a7955af51479f828e14cc519f3e976288ab86b088e05f011be2e
coreutils-libs-8.4-31.el6.x86_64.rpm
File outdated by:  RHBA-2014:1457
    MD5: 17c191822d270b125a33a29b3773df61
SHA-256: c5128872d93845270d26a0b144c02c7f0e4db89b35bcbbaed79f42159987704b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

747592 - segfault message supressed with su -c
816708 - id and groups commands sometimes lie
827199 - [RHEL6] tail -f doesn't work on panasas file systems
836557 - du gives bogus warning if named service is running
842040 - df -P gives new lines when where '\n' is in any of the /proc/mounts fields.
903464 - CVE-2013-0221 coreutils: segfault in "sort -d" and "sort -M" with long line input
903465 - CVE-2013-0222 coreutils: segfault in uniq with long line input
903466 - CVE-2013-0223 coreutils: segfault in "join -i" with long line input
908980 - Provide the conv=sparse option in dd
965654 - dd option status=noxfer is ignored
980061 - mv: fails to overwrite directory on cross-filesystem copy with EISDIR


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/