DescriptionA flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1061138

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
coreutils (PTS)buster8.30-3fixed
sid, trixie9.4-3.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
coreutilssourcebuster(not affected)
coreutilssourcebullseye(not affected)
coreutilssourcebookworm(not affected)


[bookworm] - coreutils <not-affected> (Vulnerable code not present)
[bullseye] - coreutils <not-affected> (Vulnerable code not present)
[buster] - coreutils <not-affected> (Vulnerable code not present)
Introduced by: (v9.2)
Fixed by:

Search for package or bug name: Reporting problems