oss-sec mailing list archives
parse_datetime() bug in coreutils
From: Seth Arnold <seth.arnold () canonical com>
Date: Mon, 24 Nov 2014 18:47:24 -0800
Hello, Fiedler Roman discovered that coreutils' parse_datetime() function has some flaws that may be exploitable if the date(1), touch(1), or potentially other programs, accept untrusted input for certain parameters. While researching this issue, he discovered that it was independantly discovered by Bertrand Jacquin and reported at http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872 $ touch '--date=TZ="123"345" @1' Segmentation fault (core dumped) $ date '--date=TZ="123"345" @1' *** Error in `date': double free or corruption (out): 0x00007fffc9866c20 *** Aborted (core dumped) $ The GNU bugtracker has this patch to fix the problem: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872 and this patch to include the fix in coreutils and a small test case: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872 Can a CVE please be assigned for this issue. (Incidentally, that's some hairy-looking code; someone with time and an inclination to join Hanno's fuzzing project might find it a fruitful starting point.) Thanks
Attachment:
signature.asc
Description: Digital signature
Current thread:
- parse_datetime() bug in coreutils Seth Arnold (Nov 24)
- AW: parse_datetime() bug in coreutils Fiedler Roman (Nov 25)
- Re: parse_datetime() bug in coreutils Moritz Mühlenhoff (Dec 28)