Synopsis
The remote NewStart CGSL host is affected by multiple vulnerabilities.
Description
The remote NewStart CGSL host, running version MAIN 6.06, has coreutils packages installed that are affected by multiple vulnerabilities:
- Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ environment variable. The error is in the save_abbr function in time_rz.c. (CVE-2017-7476)
- The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings. (CVE-2015-4041)
- Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings. (CVE-2015-4042)
- In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX -R -L options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. (CVE-2017-18018)
- The convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing.
(CVE-2018-17942)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL coreutils packages. Note that updated packages may not be available yet. Please contact ZTE for more information.
Plugin Details
File Name: newstart_cgsl_NS-SA-2025-0228_coreutils.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:zte:cgsl_main:coreutils-common, cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:coreutils
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 9/30/2025
Vulnerability Publication Date: 5/15/2015