GHSA-FQ3W-P4FG-MW73

Vulnerability from github – Published: 2026-06-25 18:00 – Updated: 2026-06-25 18:00
VLAI
Summary
fixurjavainstall: Previous Fuji versions can accidentally wipe `/usr/share/man/man8`
Details

Impact

Affects: Anyone who generates the UNIX man pages in Fuji <= 0.8.0 build with the dev crate feature. Consequences: /usr/share/man/man8 may be entirely removed & re-created without any of the previous entries.

Patches

At the time of writing, no new version has been released on crates.io, due to an unrelated CI/CD publishing issue. Due to the same unrelated publishing issue, no new GitHub Releases version has been released.

Workarounds

Do not run fuji manual on non-dev builds for versions <= 0.8.0.

Additional Information

This bug results from development-only code being accidentally left in for release use. Previous versions of Fuji are still "safe" to use, provided that you do not run fuji manual. There is no malicious potential from this, it's just a major annoyance to accidentally remove all your sysadmin man pages.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "fixurjavainstall"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:00:18Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nAffects: Anyone who generates the UNIX man pages in Fuji \u003c= `0.8.0` build with the `dev` crate feature.\nConsequences: `/usr/share/man/man8` may be entirely removed \u0026 re-created without any of the previous entries.\n\n### Patches\nAt the time of writing, no new version has been released on crates.io, due to an unrelated CI/CD publishing issue.\nDue to the same unrelated publishing issue, no new GitHub Releases version has been released.\n\n### Workarounds\nDo not run `fuji manual` on non-`dev` builds for versions \u003c= `0.8.0`.\n\n### Additional Information\nThis bug results from development-only code being accidentally left in for release use.\nPrevious versions of Fuji are still \"safe\" to use, provided that you do not run `fuji manual`.\nThere is no malicious potential from this, it\u0027s just a major annoyance to accidentally remove all your sysadmin man pages.",
  "id": "GHSA-fq3w-p4fg-mw73",
  "modified": "2026-06-25T18:00:18Z",
  "published": "2026-06-25T18:00:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EpicVon2468/fixurjavainstall/security/advisories/GHSA-fq3w-p4fg-mw73"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EpicVon2468/fixurjavainstall"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fixurjavainstall: Previous Fuji versions can accidentally wipe `/usr/share/man/man8`"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…