It was reported that a heap overflow can be triggered in sort(1). This appears to be caused by performing a size calculation without properly considering the number of bytes occupied by multibyte characters. Initial report: https://bugzilla.suse.com/show_bug.cgi?id=928749 Fix: https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940 CVE assignment: http://seclists.org/oss-sec/2015/q2/502
Created coreutils tracking bugs for this issue: Affects: fedora-all [bug 1223821]
I believe heap buffer overflow affects only older versions of sort i18n patch (IOW only one of CVEs is valid for current Fedora patch, another one is valid only for RHEL 6 and older). LC_ALL=C sort code path is completely unaffected. Do you plan to create RHEL 6/7 bz for this CVE? Actually I think this (and previous similar flaws in i18n patch that got CVE as well) was the primary reason why P.Brady contacted secalert about this issue.
Mitigation: This flaw is triggered by using sort on specially crafted malicious data file. When using sort with trusted inputs, this flaw cannot be triggered.