GHSA-p7h3-7q52-72w8
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection)
상세
The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
--- _Zellic finding 3.66. Reported in the Zellic *uutils coreutils Program Security Assessment* (for Canonical, Jan 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`._
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 0.6.0 Upgrade uu_printenv to 0.6.0 or newer (ecosystem crates.io).
참고
- https://github.com/uutils/coreutils/security/advisories/GHSA-p7h3-7q52-72w8 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-35366 [ADVISORY]
- https://github.com/uutils/coreutils/issues/9701 [WEB]
- https://github.com/uutils/coreutils/pull/9728 [WEB]
- https://github.com/uutils/coreutils/commit/0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52 [WEB]
- https://github.com/uutils/coreutils [PACKAGE]
- https://github.com/uutils/coreutils/releases/tag/0.6.0 [WEB]