Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 600528

Summary: <app-arch/tar-1.28: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [upstream]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 600518    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 22:14:58 UTC 
It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600518. "If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code."
Comment 1 SpanKY gentoo-dev 2016-11-23 19:43:16 UTC 
the fix was included with the 1.28 release which hit the tree in Jul 2014 and went stable in May 2016.  there's another security bug that is forcing 1.29 to go stable too.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-17 20:43:55 UTC 
Was superseded by bug 598334. GLSA for 1.29 was already released. We won't add this issue to the existing GLSA https://security.gentoo.org/glsa/201611-19 because this would require to rewrite the GLSA which we don't do. The severity doesn't require a new one.

Repository is clean, all done.