AW: parse_datetime() bug in coreutils

[Fiedler Roman <Roman.Fiedler () ait ac at>]

> Von: Seth Arnold [mailto:seth.arnold () canonical com]
>
> Hello,
>
> Fiedler Roman discovered that coreutils' parse_datetime() function
> has some flaws that may be exploitable if the date(1), touch(1),
> or potentially other programs, accept untrusted input for certain
> parameters.

As some people won't have a hard time to correlate this: the issue was
discovered fixing the php session cleanup code running with root privileges,
which, apart from the symlink issues, could to my opinion also allow to pass
a single but arbitrary parameters to touch, see [1]

> [Snip]

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766147

Attachment: smime.p7s
Description: