GNU bug report logs - #16872
`date -d 'TZ="America/Los_Angeles" "00:00 + 1 hour"'` crashes

Previous Next

Package: coreutils;

Reported by: Mike Frysinger <vapier <at> gentoo.org>

Date: Tue, 25 Feb 2014 08:15:02 UTC

Severity: normal

Tags: fixed

Merged with 21186

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eric Blake <eblake <at> redhat.com>
To: 16872 <at> debbugs.gnu.org
Subject: bug#16872: [oss-security] parse_datetime() bug in coreutils
Date: Mon, 05 Jan 2015 10:29:55 -0700

[Message part 1 (text/plain, inline)]
For informational purposes: this bug has been assigned a CVE

On 01/03/2015 03:19 PM, cve-assign <at> mitre.org wrote:
> 
> On Mon, 29 Dec 2014, Moritz Mühlenhoff wrote:
> 
>> On Mon, Nov 24, 2014 at 06:47:24PM -0800, Seth Arnold wrote:
>>> Hello,
>>>
>>> Fiedler Roman discovered that coreutils' parse_datetime() function
>>> has some flaws that may be exploitable if the date(1), touch(1),
>>> or potentially other programs, accept untrusted input for certain
>>> parameters. While researching this issue, he discovered that it
>>> was independantly discovered by Bertrand Jacquin and reported at
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>>>
>>> $ touch '--date=TZ="123"345" @1'
>>> Segmentation fault (core dumped)
>>> $ date '--date=TZ="123"345" @1'
>>> *** Error in `date': double free or corruption (out):
>>> 0x00007fffc9866c20 ***
>>> Aborted (core dumped)
>>> $
>>>
>>> The GNU bugtracker has this patch to fix the problem:
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
>>>
>>> and this patch to include the fix in coreutils and a small test case:
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872
>>>
>>>
>>> Can a CVE please be assigned for this issue.
> 
> Use CVE-2014-9471.
> 
> ---
> 
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[signature.asc (application/pgp-signature, attachment)]
This bug report was last modified 6 years and 220 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.