Hi,
We have found a bug in shuf, and we think it may be result a security problem. we compile coreutils 8.22 which is download from http://ftp.gnu.org/gnu/coreutils/, and run it on my box that is ubuntu 12.04 x64. the bug details as follows. ### Bug overview shuf -er or shuf -eer [ segment fault] impact [coreutils 8.22 ] ``` [15:03:59]xqx@server:~/data/xqx/projects/coreutils-8.22$ ./obj-gcov/src/shuf -er Segmentation fault (core dumped) ``` ### Analysis when shuf execute -e without give the expected input lines, it will assign n_lines to 0 in "write_random_lines" while the "repeat" (-r) be set. and this var will be as the genmax parameter when "randint_genmax" function called. the code as follows in shuf.c: ``` 369 for (i = 0; i < count; i++) 370 { 371 const randint j = randint_choose (s, n_lines); 372 char *const *p = lines + j; 373 size_t len = p[1] - p[0]; 374 if (fwrite (p[0], sizeof *p[0], len, stdout) != len) 375 return -1; 376 } 377 ``` 'j' will be a random number between 0-0xffffffffffffffff in my 64bit ubuntu, and 'p' will be a unexpected point which will be access next. when p point to an ilegal memory, it will be error when access it, which may be result in a Segmentation fault. if an attacker could control the random which gened by randint_choose, it may be get the infomation without an legal authority. However, It may be difficult. yours xqx