Fabre

#1135992 rust-coreutils: CVE-2026-35341 #1135992

Package:: src:rust-coreutils

Source:: src:rust-coreutils

Submitter:: Moritz Mühlenhoff

Date:: 2026-06-06 08:51:03 UTC

Severity:: normal

Tags:

#1135992#5

Date:: 2026-05-08 13:05:20 UTC

From:

To:

Hi,

The following vulnerability was published for rust-coreutils.

CVE-2026-35341[0]:
| A vulnerability in uutils coreutils mkfifo allows for the
| unauthorized modification of permissions on existing files. When
| mkfifo fails to create a FIFO because a file already exists at the
| target path, it fails to terminate the operation for that path and
| continues to execute a follow-up set_permissions call. This results
| in the existing file's permissions being changed to the default mode
| (often 644 after umask), potentially exposing sensitive files such
| as SSH private keys to other users on the system.

https://github.com/uutils/coreutils/issues/10020

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-35341
https://www.cve.org/CVERecord?id=CVE-2026-35341

Please adjust the affected versions in the BTS as needed.

#1135992 rust-coreutils: CVE-2026-35341 #1135992

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)