Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 600524

Summary: dev-db/recutils: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: maintainer-needed, mgorny, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 600518    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 22:02:40 UTC 
It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600518. "If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code."
Comment 1 Pacho Ramos gentoo-dev 2017-06-06 17:10:45 UTC 
upstream looks dead since 2014
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-14 20:03:08 UTC 
commit ee12e968b20ac1efdef5f66f392ae62b664978d2
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Mon Aug 14 21:53:12 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Mon Aug 14 21:59:58 2017

    dev-db/recutils: Remove last-rited pkg, #600524