Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530514 - <sys-apps/coreutils-8.23: memory corruption flaw in parse_datetime() (CVE-2014-9471)
Summary: <sys-apps/coreutils-8.23: memory corruption flaw in parse_datetime() (CVE-201...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://git.savannah.gnu.org/cgit/gnul...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2014-9471
  Show dependency tree
 
Reported: 2014-11-25 08:33 UTC by Agostino Sarubbo
Modified: 2016-12-08 13:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-25 08:33:35 UTC
From ${URL} :

A memory corruption flaw was reported in parse_datetime(). If an application using 
parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application 
to crash or, potentially, execute arbitrary code.

Patch:

http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872

References:
http://seclists.org/oss-sec/2014/q4/782
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-02-22 13:50:58 UTC
CVE-2014-9471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9471):
  The parse_datetime function in GNU coreutils allows remote attackers to
  cause a denial of service (crash) or possibly execute arbitrary code via a
  crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string
  to the touch or date command.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-22 13:52:43 UTC
Maintainer(s), 
RedHat has issued a statement that this will not be fixed. Can someone take a look and make a decision if we are going to fix, or go the same route as RedHat.
See URL
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2015-02-22 14:41:46 UTC
(In reply to Yury German from comment #2)
> Maintainer(s), 
> RedHat has issued a statement that this will not be fixed. Can someone take
> a look and make a decision if we are going to fix, or go the same route as
> RedHat.
> See URL

The difference here might be one of backporting to old version vs going with a new version. As we're on rolling release anyways that should be taken into consideration when making such a decision, in particular when a patch seems to exist (I've not verified it though)
Comment 4 SpanKY gentoo-dev 2015-02-22 17:17:44 UTC
the bug is in gnulib, so any project using it might have picked it up

coreutils-8.23 already has the updated code
Comment 5 SpanKY gentoo-dev 2016-11-23 19:34:47 UTC
8.23 has been stable at this point for over a year.  prob should just close this bug out.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-12-08 13:12:34 UTC
This issue was resolved and addressed in
 GLSA 201612-22 at https://security.gentoo.org/glsa/201612-22
by GLSA coordinator Aaron Bauman (b-man).