Bug 600520

Summary:	<sys-auth/oath-toolkit-2.6.1: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	robbat2, sysadmin
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	600518

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-22 21:43:51 UTC

It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600518. "If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code."

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-22 21:50:42 UTC

The embedded gnulib was updated via https://gitlab.com/oath-toolkit/oath-toolkit/commit/5913c96f21eca742223a3fd409e0427a2c144772

$ git tag --contains 5913c96f21eca742223a3fd409e0427a2c144772 | sort
oath-toolkit-2-6-0
oath-toolkit-2-6-1
oath-toolkit-2-6-2


@ Maintainer(s): Please drop =sys-auth/oath-toolkit-2.4.1

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-11-27 22:40:45 UTC

Cleaned:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9de7aebeb61e4653716952e82965fc8c713f7f7d