From ${URL} : A memory corruption flaw was reported in parse_datetime(). If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code. Patch: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872 References: http://seclists.org/oss-sec/2014/q4/782 http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-9471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9471): The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.
Maintainer(s), RedHat has issued a statement that this will not be fixed. Can someone take a look and make a decision if we are going to fix, or go the same route as RedHat. See URL
(In reply to Yury German from comment #2) > Maintainer(s), > RedHat has issued a statement that this will not be fixed. Can someone take > a look and make a decision if we are going to fix, or go the same route as > RedHat. > See URL The difference here might be one of backporting to old version vs going with a new version. As we're on rolling release anyways that should be taken into consideration when making such a decision, in particular when a patch seems to exist (I've not verified it though)
the bug is in gnulib, so any project using it might have picked it up coreutils-8.23 already has the updated code
8.23 has been stable at this point for over a year. prob should just close this bug out.
This issue was resolved and addressed in GLSA 201612-22 at https://security.gentoo.org/glsa/201612-22 by GLSA coordinator Aaron Bauman (b-man).