8.20. coreutils

Updated coreutils packages that fix three security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE link(s) associated with each description below.
The coreutils package contains the core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.

Security Fixes

CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings.

Bug Fixes

Previously, due to incorrect propagation of signals from child processes, the return values of the "su" command were incorrect and core dump information was not shown in the parent process. With this update, signal propagation from child processes has been fixed and the return values of the "su" command corrected. As a result, core dump messages from child processes are no longer ignored and the "su" command returns correct exit values.
Previously, the su command did not wait for the end of its child processes. As a consequence, the su utility might exit before the child process has finished. This bug has been fixed and now "su" waits for the child process to exit.
Previously, when invoked with no user name argument, the "id -G" and "id --groups" commands printed the default group ID listed in the password database. Occasionally, this ID was incorrect or not effective, especially when it has been changed. After this update, the aforementioned commands print only effective and real IDs when no user is specified.
The "tail -f" command uses inotify for tracking changes in files. For remote file systems [-/,] inotify is not available. In the case of unknown file systems, for example panasas, "tail -f" failed instead of falling back to polling. Now, the list of known file systems is updated and "tail -f" is modified to fall back into polling for unknown file systems. As result, "tail -f" now works correctly, even on unknown file systems, with only a warning about the unknown file system and a fall back to polling.
Previously, the "df" command interpreted control characters in the output mount name. As a consequence, it could be inconvenient to read and problematic for scripts when there are control characters such as "\n" in the output. Problematic characters have been replaced by a question mark sign ("?"), and such output is no longer hard to read.
Previously, a Red Hat specific patch for multibytes locales support in the core utilities was missing the handling of the "--output-delimiter" option of the "cut" command. As a consequence, the option was ignored if specified. Support for the "--output-delimiter" option has been implemented in coreutils and users can now use this option with multibyte locales.
Previously, when an "su" session was terminated by a signal, it returned an incorrect exit status. This caused various issues, such as a ksh lockup, to occur. This update fixes the exit status handling and the aforementioned situation no longer occurs.
Previously, the stat utility used the setpwent() and setgrent() functions. This caused NIS database download problems when the time stat utility was called, thus causing performance issues. After this update, the aforementioned system calls are no longer present in the stat utility source code. As a result, NIS database downloads are not necessary with every stat utility run.
When parsing a file's content, in which the end of a field was specified using the obsolete key formats (+POS -POS), the sort utility determined the end of the field incorrectly, and therefore produced incorrect output. This update fixes the parsing logic to match the usage of the "-k" option when using these obsolete key formats. The sort utility now returns expected results in this situation.
Previously, in some cases, the date utility could parse invalid input. This was due to a sign-extending of "other" bytes in the parsing mechanism. This caused unexpected results of some invalid input. The parsing mechanism has been fixed, and, the date utility now correctly recognizes invalid input where appropriate.
Previously, the "dd" utility produced the transfer statistics output even if the "status=noxfer" was specified. To fix this bug, a new option, "status=none", has been implemented to suppress all informational output. As a result, unnecessary information produced by dd is no longer displayed with this option.
The "su" utility has a "-p" option, which preserves some of the environmental variables. However, the su(1) manual page incorrectly stated that the whole environment was preserved. After this update, the manual page has been adjusted to list all the preserved environmental variables.
When moving directories between two file systems, the "mv" utility failed to overwrite an empty directory, which was a violation of the POSIX standard. After this update, mv no longer fails to overwrite an empty destination directory and the POSIX standard rules are obeyed.
Previously, the "pr" utility used a suboptimal code routine when the "-n" option was specified, and inconsistent padding with either zeros or spaces. As a consequence, pr terminated unexpectedly when the "-n" option was used with a value of 32 or higher. Moreover, the inconsistent padding was hard to parse by scripts. After this update, line numbers are consistently padded by spaces and the program has been improved to handle high values of the "-n" option correctly. As a result, the "pr" utility no longer terminates unexpectedly.
Previously, the "tail -f" command did not monitor dead symbolic links properly. As a result, "tail -f" ignored updates to the referent of a symbolic link after the symbolic link was killed. This bug has now been fixed and "tail -f" now notices when the dead symbolic link is revived and resumes tailing the contents of the referent.


Before this update, a directory cycle induced by a bind mount was treated as a fatal error, for example a probable disk corruption. However, such cycles are relatively common and can be detected efficiently. The "du" command has been modified to display a descriptive warning and also to return the appropriate non-zero exit value. This allows bind mounts of various services to be handles correctly.
In Red Hat Enterprise Linux 6, the "dd" command has a "conv" option, which supports various conversion types. This updates adds support for the "sparse" conversion option, used for sparse files. This feature is useful when copying block devices to files to minimize the actual amount of data occupied. In addition, it can be used for managing virtual machine images in different storage types, including iSCSI and NFS.
Users of coreutils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.