600524 – dev-db/recutils: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)

Bug 600524 - dev-db/recutils: memory corruption flaw in parse_datetime() though embedded gnulib (CVE-2014-9471)

Summary: dev-db/recutils: memory corruption flaw in parse_datetime() though embedded g...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2014-9471
	Show dependency tree

Reported:	2016-11-22 22:02 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-08-14 23:13 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-22 22:02:40 UTC

It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600518. "If an application using parse_datetime(), such as touch or date, accepted untrusted input, it could cause the application to crash or, potentially, execute arbitrary code."

Comment 1 Pacho Ramos gentoo-dev

2017-06-06 17:10:45 UTC

upstream looks dead since 2014

Comment 2 Michał Górny archtester

2017-08-14 20:03:08 UTC

commit ee12e968b20ac1efdef5f66f392ae62b664978d2
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Mon Aug 14 21:53:12 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Mon Aug 14 21:59:58 2017

    dev-db/recutils: Remove last-rited pkg, #600524