Buffer Overflow Vulnerability Found in GNU Split Utility

A vulnerability has been revealed in the SPLIT utility, which is part of the GNU Coreutils package used for dividing large files into parts. The vulnerability, identified as CVE-2024-0684, involves the overflow of the buffer during the processing of long lines when using the “-c” option for line-bytes in the Oplit function. This vulnerability was discovered while analyzing failures associated with using the SPLIT utility to separate data transmitted through QR codes.

The vulnerability is a result of an error in the release of Coreutils 7.2, specifically due to a mistake made when calling the Xrealloc function on XPALLOC. A patch containing the necessary correction has already been adopted in the code base, as seen in the commit at this link. However, an updated version with the correction has not yet been released.

A demonstration of the vulnerability has been made available through an example file that causes an overflow when running the command “Split -c 1024 ./split_me”. The details of this demonstration can be found at this GitHub repository.

/Reports, release notes, official announcements.