parse_datetime() bug in coreutils

[Seth Arnold <seth.arnold () canonical com>]

Hello,

Fiedler Roman discovered that coreutils' parse_datetime() function
has some flaws that may be exploitable if the date(1), touch(1),
or potentially other programs, accept untrusted input for certain
parameters. While researching this issue, he discovered that it
was independantly discovered by Bertrand Jacquin and reported at
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872

$ touch '--date=TZ="123"345" @1'
Segmentation fault (core dumped)
$ date '--date=TZ="123"345" @1'
*** Error in `date': double free or corruption (out): 0x00007fffc9866c20 ***
Aborted (core dumped)
$

The GNU bugtracker has this patch to fix the problem:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
and this patch to include the fix in coreutils and a small test case:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872

Can a CVE please be assigned for this issue.

(Incidentally, that's some hairy-looking code; someone with time and an
inclination to join Hanno's fuzzing project might find it a fruitful
starting point.)

Thanks

Attachment: signature.asc
Description: Digital signature