Collin Funk <collin.funk1@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Collin Funk <collin.funk1@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Collin Funk <collin.funk1@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 80960) by debbugs.gnu.org; 4 May 2026 21:22:34 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 04 17:22:34 2026 Received: from localhost ([127.0.0.1]:46526 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1wK0kL-0004bN-V7 for submit <at> debbugs.gnu.org; Mon, 04 May 2026 17:22:34 -0400 Received: from mail.cs.ucla.edu ([131.179.128.66]:46284) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <eggert@HIDDEN>) id 1wK0kJ-0004aU-Ez for 80960 <at> debbugs.gnu.org; Mon, 04 May 2026 17:22:32 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id F111E3C03E9E1; Mon, 4 May 2026 14:22:24 -0700 (PDT) Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP id j8bw3TLkYhUZ; Mon, 4 May 2026 14:22:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id C8AED3C09FA19; Mon, 4 May 2026 14:22:24 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu C8AED3C09FA19 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1777929744; bh=zBApGXyOOYCw36+s9ORhPSiOzaszkmg44nhA9ioMe5M=; h=Message-ID:Date:MIME-Version:To:From; b=Yy7Lv3WJGduRLOiZGGdJH81sYucb1cSkGqxXbT9GjGXmJges0LQcy76CkXR7gjKli Wnhs4cEtTv//sWJBUvOqaBwziHh0/KJx0OHLpWhB3rNM4DW0mefQox8wqNjx543MzH j+MVlGPdgHbZmIUg/CqGdlhx0M+jMwt6yivvgcRshtA4VT5CqxvYtNStqEzCESQTWt IDSUxXfUUQrEVGjYC7XOD4H9R4ZlCD35aCyNzFNP2dI5d9UWOMuSiZBNUIf0x3y9yZ xZhRIFoTkbMJB2Y4h6ozzHSSpaQwKLFu38fkl+Q4PVDvZvkFUlNOrV1ekw3VdaUrpC 9NB6NrotPr07A== X-Virus-Scanned: amavis at mail.cs.ucla.edu Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP id l16v2HtJPZjD; Mon, 4 May 2026 14:22:24 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by mail.cs.ucla.edu (Postfix) with ESMTPSA id A6A723C03E9E1; Mon, 4 May 2026 14:22:24 -0700 (PDT) Message-ID: <2c010e9d-e799-433c-8de3-dcf2facaf7ef@HIDDEN> Date: Mon, 4 May 2026 14:22:24 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#80960: Out-of-bounds read / information disclosure in ls (coreutils 9.10) To: Muhammad Abdullah Khan Niazi <fict.0501@HIDDEN> References: <CAHKuZ+psM7cTh7jZUA0Y00BWixuQ7VV3P+PSBnD+uZc+TTqSuQ@HIDDEN> Content-Language: en-US From: Paul Eggert <eggert@HIDDEN> Autocrypt: addr=eggert@HIDDEN; keydata= xsFNBEyAcmQBEADAAyH2xoTu7ppG5D3a8FMZEon74dCvc4+q1XA2J2tBy2pwaTqfhpxxdGA9 Jj50UJ3PD4bSUEgN8tLZ0san47l5XTAFLi2456ciSl5m8sKaHlGdt9XmAAtmXqeZVIYX/UFS 96fDzf4xhEmm/y7LbYEPQdUdxu47xA5KhTYp5bltF3WYDz1Ygd7gx07Auwp7iw7eNvnoDTAl KAl8KYDZzbDNCQGEbpY3efZIvPdeI+FWQN4W+kghy+P6au6PrIIhYraeua7XDdb2LS1en3Ss mE3QjqfRqI/A2ue8JMwsvXe/WK38Ezs6x74iTaqI3AFH6ilAhDqpMnd/msSESNFt76DiO1ZK QMr9amVPknjfPmJISqdhgB1DlEdw34sROf6V8mZw0xfqT6PKE46LcFefzs0kbg4GORf8vjG2 Sf1tk5eU8MBiyN/bZ03bKNjNYMpODDQQwuP84kYLkX2wBxxMAhBxwbDVZudzxDZJ1C2VXujC OJVxq2kljBM9ETYuUGqd75AW2LXrLw6+MuIsHFAYAgRr7+KcwDgBAfwhPBYX34nSSiHlmLC+ KaHLeCLF5ZI2vKm3HEeCTtlOg7xZEONgwzL+fdKo+D6SoC8RRxJKs8a3sVfI4t6CnrQzvJbB n6gxdgCu5i29J1QCYrCYvql2UyFPAK+do99/1jOXT4m2836j1wARAQABzSBQYXVsIEVnZ2Vy dCA8ZWdnZXJ0QGNzLnVjbGEuZWR1PsLBlQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC HgECF4AWIQR+N5Kp2Kz31jO8FYjtl+kOYqp+NAUCabswsgUJHxsOjAAKCRDtl+kOYqp+NJlw D/9OSN9yKUVlhMG0/k9WfOogQbifE5TmYZ/9Iyl1l1hRURXNqeFDX8S0yme1c+++/61jl85V Xt+Fv8UzUpULvmPcIetf1vWZeHysbHJ1ZOHIMWnf7C9gxEbne+z90B51QTRCYcOlBHvuVeS0 DbaSJf2A41Bnsaa4DGpcTG6pzgGZLIpA6YOMDLC+pif1jiwieJp67Xj6oggzckKuOeD3pdKO hL7hLkzCFyWvIwnUOZWQp15w3pklQpSL7+yudfnlHuuG+As6zjHdz/51/vQJIb7keScZSmSC I76NEIrCPr7bIksZADLD8y/HnlzbWO+uUnKK4SvfnILLkp4o4ODZH1gjbZZDqFi1HawyWbYL lCU3k6I9MSWiLU7IafhMIaVf+oUcomA4Sa/H15dLaxQ0UkkUpSG8CqfU2ffFMUm7b/6GecOf y7WI4IztYzKV2rtT+OuzuHlc3uDCRthN84WggEsDbfHvIvXmYQG660W90qPxfB54ddi+SoEW RP0VkEIJm29rkbcz7apR2Y0i9BQk736khBQ6cT5G7INlmnkFv2jw3Z3lwAbUuvVsjMZBfELY iiQtP8fJbXQ7P5FTCqN+u6G2TPTMzwfvPIsrmNpM6/iwAu8b3y239ZxV6Vm1K5uYywjcL3z8 kLO7Zx1/ajPFOFd4oW1cPlFnMZCBBY7DYwtH8s7BTQRMgHJkARAApoXrvxP3DIfjCNOtXU/P dwMShKdX/RlSs5PfunV1wbKP8herXHrvQdFVqECaTSxmlhzbk8X0PkY9gcVaU2O49T3qsOd1 cHeF52YFGEt0LhsBeMjgNX5uZ1V76r8gyeVlFpWWb0SIwJUBHrDXexF67upeRb2vdHBjYDNe ySn+0B7gFEqvVmZu+LadudDp6kQLjatFvHQHUSGNshBnkkcaTbiI9Pst0GCc2aiznBiPPA2W QxAPlPRh3OGTsn5THADmbjqY6FEMLasVX8DSCblMvLwNeO/8SxziBidhqLpJCqdQRWHku5Xx gIkGeKOz5OLDvXHWJyafrEYjjkS6Ak6B5z6svKliClWnjHQcjlPzyoFFgKTEfcqDxCj4RY0D 0DgtFD0NfyeOidrSB/SzTe2hwryQE3rpSiqo+0cGdzh4yAHKYJ+UrXZ4p93ZhjGfKD1xlrNY DlWyW9PGmbvqFuDmiIAQf9WD/wzEfICc+F+uDDI+uYkRxUFp92ykmdhDEFg1yjYsU8iGU69a Hyvhq36z4zctvbqhRNzOWB1bVJ/dIMDvsExGcXQVDIT7sDNXv0wE3jKSKpp7NDG1oXUXL+2+ SF99Kjy753AbQSAmH617fyBNwhJWvQYg+mUvPpiGOtses9EXUI3lS4v0MEaPG43flEs1UR+1 rpFQWVHo1y1OO+sAEQEAAcLBfAQYAQgAJgIbDBYhBH43kqnYrPfWM7wViO2X6Q5iqn40BQJp uzCyBQkfGw6MAAoJEO2X6Q5iqn40Q5IQAIyyh3N1m6LgSN2Rf86kLL2ICijK3cPH9l0KvwWL SZ7GwkAQCsz4w5C3LYcPqY5BtCrwSaHH0Wv3EcQPy3vqXf/8dR+d5K3171HDx4YD9182G4sp 8ENKwqZB1At7DUDtS7ogOME3Jou+5ExKEIoTBgrFOkVW7dhpiRLH3p3Mbchlt+UBkjdGEE+7 3L1ttcGvEImBsN01oMYqgmVj5unwD7fwPXN56aLpBylRrlmvuxZyQVRvC1y2vJqIWJ7a2HhF 8C03O6oi8OhCQwoyqnpRTeRJb+kcIFj5RDw8v4W6T1LWtw7z6q+zYmvzhNbvwX5pvadWlFj6 3RPvfcJY6+RyuyMNPio1yhYakJKpvxJVpSsIbPyeEeiPez6dLl8/CMH4p8P3p0W+EmfENreR HfbOv5hXuAnR2eD/DzNrrIVRRjiFoEaYlKj5SDTNTsRjzrgTnSlE9eldkakIoxn9cQ/oD+mx 3dSD/vuWZ2v/RroxxxT9PJiLEPg2/Z8R3VL9Ff+RzCUIql6cY4NG7/mkU/Ed6u55S9IWcSI8 vFBto2TvYSv1woVRiF6rR0fWhY47BLweQwaK5vJa8XnvB7xFY/91Zll1P3z7iBaxg6GstGIl 9bIIO73BetYMj1ZvNgz2I6lsrpWQDYa/81II3XsGG/etr63vzAAY3wb4QAPYTZQKKey3 Organization: UCLA Computer Science Department In-Reply-To: <CAHKuZ+psM7cTh7jZUA0Y00BWixuQ7VV3P+PSBnD+uZc+TTqSuQ@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 80960 Cc: 80960 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 2026-05-04 14:09, Muhammad Abdullah Khan Niazi wrote: > - GNU coreutils 9.10 (latest from Debian) Thanks for reporting the problem. Unfortunately I'm not seeing the issue with GNU coreutils 9.10 x86-64, or with coreutils bleeding-edge, both running on Fedora 44. Perhaps the bug has been fixed there? Or perhaps the bug is in getopt and not in ls? > The following command reproduces the issue on affected systems: > ls -lsZXx1vUutSsRrQqpoNnmLkIiHhGgFfDdCcBbAa > > text Unfortunately that's not enough information to reproduce the bug, as I expect the problem depends on what directory you're running 'ls' in. Can you reproduce the problem in an empty directory? If not, what's the smallest directory that lets you reproduce the problem?
bug-coreutils@HIDDEN:bug#80960; Package coreutils.
Full text available.
Received: (at submit) by debbugs.gnu.org; 4 May 2026 21:09:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 04 17:09:32 2026
Received: from localhost ([127.0.0.1]:46292 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1wK0Xj-00033y-9z
for submit <at> debbugs.gnu.org; Mon, 04 May 2026 17:09:32 -0400
Received: from lists1p.gnu.org ([2001:470:142::17]:55426)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <fict.0501@HIDDEN>)
id 1wK0Xg-00033F-Nz
for submit <at> debbugs.gnu.org; Mon, 04 May 2026 17:09:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <fict.0501@HIDDEN>)
id 1wK0XV-0003DW-06
for bug-coreutils@HIDDEN; Mon, 04 May 2026 17:09:18 -0400
Received: from mail-dy1-x1332.google.com ([2607:f8b0:4864:20::1332])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <fict.0501@HIDDEN>)
id 1wK0XT-0001uG-4y
for bug-coreutils@HIDDEN; Mon, 04 May 2026 17:09:16 -0400
Received: by mail-dy1-x1332.google.com with SMTP id
5a478bee46e88-2c156c4a9efso7993480eec.1
for <bug-coreutils@HIDDEN>; Mon, 04 May 2026 14:09:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777928953; cv=none;
d=google.com; s=arc-20240605;
b=XgcwDwMGvvCRzZrRNhd/bZ/+PIKG21ZDk6oa+4c/4HbtBFV3vpqEMlQ8htL5jF5wVq
octR4z1eFwMdRBxI/eg0wiyfLUaqooC7CLHDBHJIlBRWm2n4fmhYnn3z68Jyr66b85Wr
GY/4BEDKVGss8Pj0Tvax90De69AJFe+XXfjrVxnnVH4Dsl0SmZYoyK+LgqcgC/3rrIE2
nk5d6f6eVkLK5+GlzHWFZMXtXIqH2hw+oQtfgMPkWa3JI5nF+QAl0DsIdmzdyDrS7rJW
nPjC7HuSn3mZcclSSHHMn+gmFqQRpEDaBDldcp4mhBqU0rR9a2Sl2O/EhZlH+kdv2sKC
s80Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=to:subject:message-id:date:from:mime-version:dkim-signature;
bh=sVPNvBXl2y2bJH54aCJ2y5vwCW8IQNttXOvPXKKL07Q=;
fh=ScPEsXXZxjUO/SyfaKBND7w77mVWHCttHT1i+nAxu0Q=;
b=NrfDHlwrpF15sepsorh3HQG7+kulHUge8Bcr4IAsEsYh6T5sgduLY2lC1mXC4vuXxq
xMT73mzJ9qQmVMIjb2c+XjDNklcbAmK1hJB9YXTNR4jQZPLOeiBQ0qeKhaJUuZaDoc4T
NjVs/dGDoyulLPiw21MVdieAfqF/6INbsM9Yn1ZmxMhBzc79KBmqekXG4mNkn7nJJSN/
ddGkkdrS/1mrI1E9DLZWmR8oygMp+yNsamyPeHruRx8kUDMNvraJ8i0oBNYDrGL8grm6
QZxHzI2qqhkQUcVXdIoUJFsN35jYlw/Lj1JewaCQVZtoZU/QXKuDjZOsN2TNSyd+5O1B
WYUQ==; darn=gnu.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20251104; t=1777928953; x=1778533753; darn=gnu.org;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=sVPNvBXl2y2bJH54aCJ2y5vwCW8IQNttXOvPXKKL07Q=;
b=roebY5RV+eZ24e9GVoB9Ikbin/KYm0P+ueK7CKNS3D+AQIJAsi8QRXXgX113o17gGg
zNDD89YWfO2jCm43/jmw9ESC5L3bO4tljhyNLyZtU4M3Qh1WF4dsS5fl4v7z4VS5JNNq
z7v4C9P/s+QvUGPRhT0ohU796FFVPV+6yh+W5Vg4A/2iYVaxBlT5bD5o6LPoO7WI3WrR
3Vr94AypA38dSeiJmkfBZbf2LORS6XFdUjzBLhbb0k7leIWcJx35QIuDOCR10mHQiT6/
wQpmROnhoYUUbzIo7aejVRhQQr24FlghldGIt0lQROdxUEwTfZB1s4Lbu3I9IDIXjaxV
zubg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20251104; t=1777928953; x=1778533753;
h=to:subject:message-id:date:from:mime-version:x-gm-gg
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=sVPNvBXl2y2bJH54aCJ2y5vwCW8IQNttXOvPXKKL07Q=;
b=Nl0Cg8L4ZFEDZooXd8zRAPIRCgefB5XHLsNJTTk85d2U/DEU/nus6VTJVQq08wfS0P
WB+/CcIZto5cqoB+adyc2W7cJzy+UNfCrFFnecPX4zRld6YXowP7R8eEW/NsSRYctf4z
SJ3ImEqtOFW6krZTOmgN7v5M6u5IlAeMf8okyuUIcrG0adqeWWaRLXVNvLwwkTlhgXxO
1zjYiHu6zoi0QWHA1caQF7jDNmxwwoTUJBt1C6aFTzH8P7P+Iv2gw/Mk+GdgAykBtwUN
HZJXoq+w7zlRsXFG67a8AHdeLZUm+ag/IUWkmjSPxV55RYlPnh0tePKpnCI1zwW7f30E
razg==
X-Gm-Message-State: AOJu0Yyk2FFq+uCXWSdM9iYDD9U5AtS5Jg99NNumYTXMXUxfRXooj/Or
6lMbc//Y2svvx0DrtFFw00PomOlU3ABJxrrRmit5QgojP0aNeAJDJqIFVmqLH2ofxUqsWAHZml6
W9c9sg43/XAuX7OIAJEdycgZd7/YwLi5cvXpU6rs=
X-Gm-Gg: AeBDietHfqJDRbwmr6PEujjzbJgLzkYbZw/UBuTI/O/vrbo97uPTiDu8H2pKgzJUmId
yQ7e7+y8rwQwpvrJuyP3puH4JLnTIbtz/TCUHbPQ6j45h7EREN+9zUc0jDd7+bAGyl8jTf3T8yJ
vSsKwp2JEUMdVS5lpxNmeoRP1iKH974SkjE4xEiFBXrA5A1sZ/9E8q4OpjNlvzIJqwCruA4ZGwn
6wG6IVNJWjJOwQj/qCXL1RuC6t639BZlvE9xVtSBWmcOjVv0iRbc8y1LHR1R5a6EKh7gQpqeS6Q
GKF2kgvg9y/wy7iQ7gG5Wcw=
X-Received: by 2002:a05:7300:7490:b0:2e0:909a:b9c with SMTP id
5a478bee46e88-2efb87a8d28mr4640854eec.15.1777928953146; Mon, 04 May 2026
14:09:13 -0700 (PDT)
MIME-Version: 1.0
From: Muhammad Abdullah Khan Niazi <fict.0501@HIDDEN>
Date: Tue, 5 May 2026 02:09:01 +0500
X-Gm-Features: AVHnY4Ia6IgFZ0XxD8SBnAIPEj5zHaAqjROBgcl3nUrFNpIkyaOBzT67Pg7OWLw
Message-ID: <CAHKuZ+psM7cTh7jZUA0Y00BWixuQ7VV3P+PSBnD+uZc+TTqSuQ@HIDDEN>
Subject: Out-of-bounds read / information disclosure in ls (coreutils 9.10)
To: bug-coreutils@HIDDEN
Content-Type: multipart/alternative; boundary="000000000000b0313f06510457be"
Received-SPF: pass client-ip=2607:f8b0:4864:20::1332;
envelope-from=fict.0501@HIDDEN; helo=mail-dy1-x1332.google.com
X-Spam_score_int: -17
X-Spam_score: -1.8
X-Spam_bar: -
X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 2.2 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Dear GNU Coreutils Maintainers, I believe I have discovered
an out-of-bounds read vulnerability in `ls` that leads to memory disclosure
(CWE-125 / CWE-200). **Vulnerability Summary**
Content analysis details: (2.2 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (fict.0501[at]gmail.com)
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in digit (fict.0501[at]gmail.com)
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received'
headers
0.0 HTML_MESSAGE BODY: HTML included in message
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Dear GNU Coreutils Maintainers, I believe I have discovered
an out-of-bounds read vulnerability in `ls` that leads to memory disclosure
(CWE-125 / CWE-200). **Vulnerability Summary**
Content analysis details: (1.2 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[2001:470:142:0:0:0:0:17 listed in]
[list.dnswl.org]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (fict.0501[at]gmail.com)
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in digit (fict.0501[at]gmail.com)
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received'
headers
0.0 HTML_MESSAGE BODY: HTML included in message
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
--000000000000b0313f06510457be
Content-Type: text/plain; charset="UTF-8"
Dear GNU Coreutils Maintainers,
I believe I have discovered an out-of-bounds read vulnerability in `ls`
that leads to memory disclosure (CWE-125 / CWE-200).
**Vulnerability Summary**
A specific long sequence of command-line flags causes `ls` to read and
print memory outside its intended bounds. The output includes system paths,
memory addresses, and other data not belonging to the current directory.
The program does not crash and returns exit code 0, making the issue silent
and potentially undetected.
**Proof of Concept**
The following command reproduces the issue on affected systems:
ls -lsZXx1vUutSsRrQqpoNnmLkIiHhGgFfDdCcBbAa
text
**Observed Behavior**
- `ls` prints a large amount of data not corresponding to the current
directory
- Output includes memory addresses, build paths, and other seemingly random
data
- The program does not terminate with an error
- Exit code is 0 (success)
- Running the same command multiple times produces different output
- A directory with few files outputs an inflated total blocks count (e.g.,
288,208 blocks for an empty directory)
**Expected Behavior**
`ls` should either reject the invalid flag combination, ignore unrecognized
or redundant flags, or list only the actual directory contents within
reasonable bounds.
**Affected Version**
- GNU coreutils 9.10 (latest from Debian)
- Output of `ls --version`:
ls (GNU coreutils) 9.10
Packaged by Debian (9.10-1)
Copyright (C) 2026 Free Software Foundation, Inc.
text
**Environment**
- Linux distribution: Kali Linux 2026.1
- Architecture: x86_64
**Severity Assessment**
This is an information disclosure vulnerability. A local attacker could
potentially read out-of-bounds memory contents, which may include sensitive
information or aid in bypassing ASLR. No special privileges are required.
**Additional Notes**
- This appears to be a memory corruption issue in argument parsing, likely
within `getopt_long` or flag processing logic
- The same behavior does not occur with shorter or more standard flag
combinations
- I have not tested other coreutils binaries, but similar behavior may exist
Please let me know if you require additional details, strace output, or a
valgrind report.
Thank you for your work on coreutils.
Respectfully,
Kaizen - Muhammad Abdullah Khan
(Independent security researcher)
--000000000000b0313f06510457be
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Dear GNU Coreutils Maintainers,<br><br>I believe I have di=
scovered an out-of-bounds read vulnerability in `ls` that leads to memory d=
isclosure (CWE-125 / CWE-200).<br><br>**Vulnerability Summary**<br><br>A sp=
ecific long sequence of command-line flags causes `ls` to read and print me=
mory outside its intended bounds. The output includes system paths, memory =
addresses, and other data not belonging to the current directory. The progr=
am does not crash and returns exit code 0, making the issue silent and pote=
ntially undetected.<br><br>**Proof of Concept**<br><br>The following comman=
d reproduces the issue on affected systems:<br>ls -lsZXx1vUutSsRrQqpoNnmLkI=
iHhGgFfDdCcBbAa<br><br>text<br><br>**Observed Behavior**<br><br>- `ls` prin=
ts a large amount of data not corresponding to the current directory<br>- O=
utput includes memory addresses, build paths, and other seemingly random da=
ta<br>- The program does not terminate with an error<br>- Exit code is 0 (s=
uccess)<br>- Running the same command multiple times produces different out=
put<br>- A directory with few files outputs an inflated total blocks count =
(e.g., 288,208 blocks for an empty directory)<br><br>**Expected Behavior**<=
br><br>`ls` should either reject the invalid flag combination, ignore unrec=
ognized or redundant flags, or list only the actual directory contents with=
in reasonable bounds.<br><br>**Affected Version**<br><br>- GNU coreutils 9.=
10 (latest from Debian)<br>- Output of `ls --version`:<br>ls (GNU coreutils=
) 9.10<br>Packaged by Debian (9.10-1)<br>Copyright (C) 2026 Free Software F=
oundation, Inc.<br><br>text<br><br>**Environment**<br><br>- Linux distribut=
ion: Kali Linux 2026.1<br>- Architecture: x86_64<br><br>**Severity Assessme=
nt**<br><br>This is an information disclosure vulnerability. A local attack=
er could potentially read out-of-bounds memory contents, which may include =
sensitive information or aid in bypassing ASLR. No special privileges are r=
equired.<br><br>**Additional Notes**<br><br>- This appears to be a memory c=
orruption issue in argument parsing, likely within `getopt_long` or flag pr=
ocessing logic<br>- The same behavior does not occur with shorter or more s=
tandard flag combinations<br>- I have not tested other coreutils binaries, =
but similar behavior may exist<br><br>Please let me know if you require add=
itional details, strace output, or a valgrind report.<br><br>Thank you for =
your work on coreutils.<br><br>Respectfully,<br><br>Kaizen - Muhammad Abdul=
lah Khan<br>(Independent security researcher)<div><br></div></div>
--000000000000b0313f06510457be--
Muhammad Abdullah Khan Niazi <fict.0501@HIDDEN>:bug-coreutils@HIDDEN.
Full text available.bug-coreutils@HIDDEN:bug#80960; Package coreutils.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.