Bug 600536

Summary:	sci-mathematics/octave: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	sci-mathematics
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 []
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	600518

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-22 22:30:05 UTC

It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600518. "If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code."

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-20 04:04:14 UTC

It's been a while since this bug was open, but right now, after the bump to octave-4.2.1, there is no implementation of parse_datetime() in the source code.

Gentoo Security Padawan
ChrisADR

Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-20 16:07:45 UTC

After double checking prior versions of octave, all the sources were clean from parse_datetime() which means that they were never affected by this vulnerability.

Closing as INVALID