bug#16872: [oss-security] parse_datetime() bug in coreutils

[Eric Blake]

For informational purposes: this bug has been assigned a CVE

On 01/03/2015 03:19 PM, address@hidden wrote:
> 
> On Mon, 29 Dec 2014, Moritz Mühlenhoff wrote:
> 
>> On Mon, Nov 24, 2014 at 06:47:24PM -0800, Seth Arnold wrote:
>>> Hello,
>>>
>>> Fiedler Roman discovered that coreutils' parse_datetime() function
>>> has some flaws that may be exploitable if the date(1), touch(1),
>>> or potentially other programs, accept untrusted input for certain
>>> parameters. While researching this issue, he discovered that it
>>> was independantly discovered by Bertrand Jacquin and reported at
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>>>
>>> $ touch '--date=TZ="123"345" @1'
>>> Segmentation fault (core dumped)
>>> $ date '--date=TZ="123"345" @1'
>>> *** Error in `date': double free or corruption (out):
>>> 0x00007fffc9866c20 ***
>>> Aborted (core dumped)
>>> $
>>>
>>> The GNU bugtracker has this patch to fix the problem:
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
>>>
>>> and this patch to include the fix in coreutils and a small test case:
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872
>>>
>>>
>>> Can a CVE please be assigned for this issue.
> 
> Use CVE-2014-9471.
> 
> ---
> 
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature