Source: rust-coreutils X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for rust-coreutils. CVE-2026-35345[0]: | A vulnerability in the tail utility of uutils coreutils allows for | the exfiltration of sensitive file contents when using the | --follow=name option. Unlike GNU tail, the uutils implementation | continues to monitor a path after it has been replaced by a symbolic | link, subsequently outputting the contents of the link's target. In | environments where a privileged user (e.g., root) monitors a log | directory, a local attacker with write access to that directory can | replace a log file with a symlink to a sensitive system file (such | as /etc/shadow), causing tail to disclose the contents of the | sensitive file. https://github.com/uutils/coreutils/issues/10328 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-35345 https://www.cve.org/CVERecord?id=CVE-2026-35345 Please adjust the affected versions in the BTS as needed.
