oss-sec mailing list archives

Re: parse_datetime() bug in coreutils

From: Moritz Mühlenhoff <jmm () inutil org>
Date: Mon, 29 Dec 2014 01:06:25 +0100

On Mon, Nov 24, 2014 at 06:47:24PM -0800, Seth Arnold wrote:

Hello,

Fiedler Roman discovered that coreutils' parse_datetime() function
has some flaws that may be exploitable if the date(1), touch(1),
or potentially other programs, accept untrusted input for certain
parameters. While researching this issue, he discovered that it
was independantly discovered by Bertrand Jacquin and reported at
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872

$ touch '--date=TZ="123"345" @1'
Segmentation fault (core dumped)
$ date '--date=TZ="123"345" @1'
*** Error in `date': double free or corruption (out): 0x00007fffc9866c20 ***
Aborted (core dumped)
$

The GNU bugtracker has this patch to fix the problem:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
and this patch to include the fix in coreutils and a small test case:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872

Can a CVE please be assigned for this issue.


This CVE request seems to have fallen through the cracks,
adding cve-assign () mitre org to the recipients.

Cheers,
        Moritz

Current thread:

parse_datetime() bug in coreutils Seth Arnold (Nov 24)
- AW: parse_datetime() bug in coreutils Fiedler Roman (Nov 25)
- Re: parse_datetime() bug in coreutils Moritz Mühlenhoff (Dec 28)