Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600530 - <net-libs/gnutls-3.3.0: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)
Summary: <net-libs/gnutls-3.3.0: memory corruption flaw in parse_datetime() though emb...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2014-9471
  Show dependency tree
 
Reported: 2016-11-22 22:18 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-14 15:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 22:18:11 UTC
It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600518. "If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code."
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-14 15:40:54 UTC
I only checked 3.3.x branch.

Fixed via https://gitlab.com/gnutls/gnutls/commit/9c1a48b7aa071377f3295801173559e5c44caa42 which is included since 3.3.0.