Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 600532

Summary: sys-apps/findutils: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [upsteam]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 600518    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 22:20:47 UTC 
It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600518. "If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code."
Comment 1 SpanKY gentoo-dev 2016-11-23 19:39:48 UTC 
i don't know the specific version this fix started in, but 4.4.x didn't import this module, and 4.5.14+ includes the fix (Apr 2014), and 4.6.0 has been stable for a while now.