oss-sec mailing list archives
Re: parse_datetime() bug in coreutils
From: Moritz Mühlenhoff <jmm () inutil org>
Date: Mon, 29 Dec 2014 01:06:25 +0100
On Mon, Nov 24, 2014 at 06:47:24PM -0800, Seth Arnold wrote:
Hello, Fiedler Roman discovered that coreutils' parse_datetime() function has some flaws that may be exploitable if the date(1), touch(1), or potentially other programs, accept untrusted input for certain parameters. While researching this issue, he discovered that it was independantly discovered by Bertrand Jacquin and reported at http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872 $ touch '--date=TZ="123"345" @1' Segmentation fault (core dumped) $ date '--date=TZ="123"345" @1' *** Error in `date': double free or corruption (out): 0x00007fffc9866c20 *** Aborted (core dumped) $ The GNU bugtracker has this patch to fix the problem: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872 and this patch to include the fix in coreutils and a small test case: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872 Can a CVE please be assigned for this issue.
This CVE request seems to have fallen through the cracks, adding cve-assign () mitre org to the recipients. Cheers, Moritz
Current thread:
- parse_datetime() bug in coreutils Seth Arnold (Nov 24)
- AW: parse_datetime() bug in coreutils Fiedler Roman (Nov 25)
- Re: parse_datetime() bug in coreutils Moritz Mühlenhoff (Dec 28)