Summary: | <sys-apps/coreutils-8.23: memory corruption flaw in parse_datetime() (CVE-2014-9471) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=a10acfb1d2118f9a180181d3fed5399dbbe1df3c | ||
See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1167548 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 600518 |
Description
Agostino Sarubbo
2014-11-25 08:33:35 UTC
CVE-2014-9471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9471): The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command. Maintainer(s), RedHat has issued a statement that this will not be fixed. Can someone take a look and make a decision if we are going to fix, or go the same route as RedHat. See URL (In reply to Yury German from comment #2) > Maintainer(s), > RedHat has issued a statement that this will not be fixed. Can someone take > a look and make a decision if we are going to fix, or go the same route as > RedHat. > See URL The difference here might be one of backporting to old version vs going with a new version. As we're on rolling release anyways that should be taken into consideration when making such a decision, in particular when a patch seems to exist (I've not verified it though) the bug is in gnulib, so any project using it might have picked it up coreutils-8.23 already has the updated code 8.23 has been stable at this point for over a year. prob should just close this bug out. This issue was resolved and addressed in GLSA 201612-22 at https://security.gentoo.org/glsa/201612-22 by GLSA coordinator Aaron Bauman (b-man). |