A flaw was found in GNU Coreutils through 8.29 in chown-core.c. The functions chown and chgrp do not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. References: http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html
Created coreutils tracking bugs for this issue: Affects: fedora-all [bug 1532285]
Do I understand it correctly that CVE-2017-18018 was fixed as documentation bug only? What are you expecting to happen? The documentation fix being applied on Fedora release via security update? Are you assuming that Fedora users read the info documentation thoroughly enough to actually notice the documentation update?
(In reply to Kamil Dudka from comment #2) > Do I understand it correctly that CVE-2017-18018 was fixed as documentation > bug only? What are you expecting to happen? The documentation fix being > applied on Fedora release via security update? > > Are you assuming that Fedora users read the info documentation thoroughly > enough to actually notice the documentation update? Hey Kamil, you definitely don't need to do an async release for this kind of issue, that's your call. This was mainly filed so that we are tracking it's existence and the fact that it got a CVE identifier. I think it's fine to wait for the next upstream release which should contain the updated documentation. Feel free to wontfix the tracker if you want.