Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 530514

Summary: <sys-apps/coreutils-8.23: memory corruption flaw in parse_datetime() (CVE-2014-9471)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=a10acfb1d2118f9a180181d3fed5399dbbe1df3c
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1167548
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 600518    

Description Agostino Sarubbo gentoo-dev 2014-11-25 08:33:35 UTC
From ${URL} :

A memory corruption flaw was reported in parse_datetime(). If an application using 
parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application 
to crash or, potentially, execute arbitrary code.

Patch:

http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872

References:
http://seclists.org/oss-sec/2014/q4/782
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-02-22 13:50:58 UTC
CVE-2014-9471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9471):
  The parse_datetime function in GNU coreutils allows remote attackers to
  cause a denial of service (crash) or possibly execute arbitrary code via a
  crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string
  to the touch or date command.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-02-22 13:52:43 UTC
Maintainer(s), 
RedHat has issued a statement that this will not be fixed. Can someone take a look and make a decision if we are going to fix, or go the same route as RedHat.
See URL
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-22 14:41:46 UTC
(In reply to Yury German from comment #2)
> Maintainer(s), 
> RedHat has issued a statement that this will not be fixed. Can someone take
> a look and make a decision if we are going to fix, or go the same route as
> RedHat.
> See URL

The difference here might be one of backporting to old version vs going with a new version. As we're on rolling release anyways that should be taken into consideration when making such a decision, in particular when a patch seems to exist (I've not verified it though)
Comment 4 SpanKY gentoo-dev 2015-02-22 17:17:44 UTC
the bug is in gnulib, so any project using it might have picked it up

coreutils-8.23 already has the updated code
Comment 5 SpanKY gentoo-dev 2016-11-23 19:34:47 UTC
8.23 has been stable at this point for over a year.  prob should just close this bug out.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-12-08 13:12:34 UTC
This issue was resolved and addressed in
 GLSA 201612-22 at https://security.gentoo.org/glsa/201612-22
by GLSA coordinator Aaron Bauman (b-man).