Since coreutils 9.2 https://github.com/coreutils/coreutils/commit/40bf1591b introduced a heap overflow issue, which can be triggered like: { printf '%131070s\n' ''; printf 'x\n'; printf '%131071s\n' ''; } > in split -C 131072 ---io=131072 in That will dump core, but as with all heap overflows is a potential security issue. I'll leave it up to you to determine whether a CVE is required. There is already a patch upstream, but it's not flagged as a security issue, in an abundance of caution, in case this issue in more security sensitive than first envisaged. The upstream patch is: https://github.com/coreutils/coreutils/commit/c4c5ed8f4.patch
Thank you for letting us know, Pádraig! I have to wait for the Security Response Team to finish the analysis. When the analysis is done, I'll backport your patch to F39 and newer ASAP.
FEDORA-2024-6b85e8848f has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-6b85e8848f
FEDORA-2024-7e5ca38c70 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-7e5ca38c70
FEDORA-2024-6b85e8848f has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-6b85e8848f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-6b85e8848f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-6b85e8848f has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.