From f3d02feb85890ffd0fbfe7603109058361464006 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Kj=C3=A4ll?= Date: Sat, 2 May 2026 08:58:56 +0200 Subject: [PATCH] add information about CVE-2026-35339 --- crates/uu_chmod/RUSTSEC-0000-0000.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 crates/uu_chmod/RUSTSEC-0000-0000.md diff --git a/crates/uu_chmod/RUSTSEC-0000-0000.md b/crates/uu_chmod/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..2881425caa --- /dev/null +++ b/crates/uu_chmod/RUSTSEC-0000-0000.md @@ -0,0 +1,28 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "uu_chmod" +date = "2026-04-22" +url = "https://github.com/uutils/coreutils/pull/9793" +cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" +keywords = ["return-value"] +aliases = ["CVE-2026-35339"] + +[affected] + +[versions] +patched = [">= 0.6.0"] +``` + +# Incorrect exit code when processing multiple files + +The recursive mode (-R) of the chmod utility in uutils coreutils +incorrectly handles exit codes when processing multiple files. The +final return value is determined solely by the success or failure +of the last file processed. + +This allows the command to return an exit code of 0 (success) even +if errors were encountered on previous files, such as 'Operation +not permitted'. Scripts relying on these exit codes may proceed +under a false sense of success while sensitive files remain with +restrictive or incorrect permissions.