Bugs Rust Won't Catch, https://corrode.dev/blog/bugs-rust-wont-catch/.
Canonical has disclosed 44 CVE in uutils. The author explains a couple of them.
It’s interesting to learn about these attack vectors. The author insists Rust doesn’t catch these bugs at compile-time nor via Clippy, even if fixes are straightforward.
The author quickly compares uutils to GNU coreutils that has received many CVE related to, e.g. memory management, which are not possible in safe Rust.
[Перевод] 44 CVE в uutils: что Rust ловит, а что нет на границе с системой
В апреле 2026 года Canonical раскрыла 44 CVE в uutils . Это переписанная на Rust версия GNU coreutils, которая в Ubuntu идёт по умолчанию с 25.10. Раскрытие пришло из внешнего аудита, заказанного перед релизом 26.04 LTS. Большую часть уязвимостей нашли обычным ревью кода. Ни borrow checker, ни проверки clippy , ни cargo audit не поймали ни одной. Этот аудит, пожалуй, самый чёткий из существующих примеров того, что Rust ловит, а что нет. Самый внятный разбор списка сделал Маттиас Эндлер в посте «Bugs Rust Won’t Catch» от 29 апреля. Эндлер ведёт консалтинг corrode и подкаст Rust in Production ; недавно у него в гостях был Джон Сигер, вице-президент по инженерии в Canonical. Пост построен как разбор того самого раскрытия: 44 CVE распределены по восьми категориям; к большинству приложен git diff фикса. Ниже разберу каркас Эндлера и добавлю два аргумента сверху. Первый: один из мейнтейнеров GNU coreutils в HN-треде показал бенчмарк, на котором рекомендованный Эндлером фикс не выживает. Второй: структурный аргумент про то, что 40 лет наслоённых POSIX-шрамов делают с любой переписью, независимо от языка.
https://habr.com/ru/articles/1031420/
#rust #cve #uutils #coreutils #canonical #ubuntu #toctou #безопасность #системное_программирование
@ChuckMcManis @lcamtuf are the #uutils crowd working from the C source (in which case these bugs are really really stupid) or are they writing code /de novo/ based on a spec? If the latter then these bugs are understandable, provided that they are dealt with when reported.
The real problem here though is Ubuntu, just changing stuff for teh lolz.
Why does #Canonical wants to replace the fully developed #GNU #coreutils by their newly developed #uutils?
The only difference is, that the uutils are a reimplementation in #RUST of the coreutils, written in #C.
All they obviously do is to put issues into these absolute basic utilities that doesn’t exist in the originals.
To me that makes no sense. The only idea I get why Canonical might do this is to get more control over basic utilities of #Linux.
https://seclists.org/oss-sec/2026/q2/332
The result of the audit of uutils coreutils is sad but entirely unsurprising. I've followed the development of uutils closely for a while now and it seems like a case of being too lax with reviewing merge requests and internal machinery. A *symptom* of this is allowing AI-generated code. The project isn't so bad to shove copilot or claude into everything ever, but there is no blocking of fully AI-generated MRs without much explanation of changes. I really hope this is a wake-up call...
One thing that the Rust rewrite of coreutils tried to do was to prove that it was making steady progress by the number of test cases originating from GNU coreutils that it could pass.
I very much suspect that there's a whole host of race condition tests that made it into the test corpus late in the game.
Test-driven rewrite has its limits.
Note the uptick in failures at the very right edge of the graph, they are currently under 90% tests successful.
Just replaced #uutils #coreutils on #ubuntu (yes, I know) with good old #gnu #coreutils . Why, you ask?
Not because of the dozens of CVEs recently published for the #rust version.
Simply because the uutils man page for date(1) unexpectedly ends after the command options. The [[Format]] section hadn't been (clean-room) finished yet, I guess, or there exists some kind of markdown processing bug maybe, but they (Ubuntu) shipped it that way anyway?
RE: https://mastodon.social/@mre/116488165568459661
"What’s left is, frankly, a more interesting class of #bug. It lives at the boundary between our controlled #Rust environment and the messy, chaotic outside world, where paths, bytes, strings, and syscalls are all tangled up in one eternal ball of sadness. That’s the new #security boundary of modern systems code."
Thank you @mre for this excellent blog post and categorization of security bugs.
And thank you to #Canonical for being the canary in the coal mine. 🦜
RE: https://fosstodon.org/@fedora/116482826989761429
For #RustLang afficionados, this release ships a very recent version of #uutils' port of #coreutils too (0.7.0, same as Debian unstable), with a lot more features enabled than previously!
It's also backported to previous #Fedora releases, please give it a whirl. Bug reports welcome against #rust-coreutils on bugzilla.redhat.com
Ubuntu 26.04 is coming out today with uutils (Rust coreutils reimplementation) by default and I expect this huge exposure to unearth a good number of compatibility issues, like the one I just found: https://github.com/uutils/coreutils/issues/11956
When using du with -h, the locale is not taken into account by du; this breaks sorting with -h which does take into account the locale. Reproducer: #!/bin/bash sort --version du --version echo $LAN...
Ivan Enderlin 🦀
Habr
David Cantrell 🏏
Jörg 🇩🇪🇬🇧🇪🇺
justsoup 
Ed W8EMV 
jer
Jan 
Michel Lind 
Anisse