Re: parse_datetime() bug in coreutils

[cve-assign () mitre org]

On Mon, 29 Dec 2014, Moritz M??hlenhoff wrote:

> On Mon, Nov 24, 2014 at 06:47:24PM -0800, Seth Arnold wrote:
> > Hello,
> >
> > Fiedler Roman discovered that coreutils' parse_datetime() function
> > has some flaws that may be exploitable if the date(1), touch(1),
> > or potentially other programs, accept untrusted input for certain
> > parameters. While researching this issue, he discovered that it
> > was independantly discovered by Bertrand Jacquin and reported at
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
> >
> > $ touch '--date=TZ="123"345" @1'
> > Segmentation fault (core dumped)
> > $ date '--date=TZ="123"345" @1'
> > *** Error in `date': double free or corruption (out): 0x00007fffc9866c20 ***
> > Aborted (core dumped)
> > $
> >
> > The GNU bugtracker has this patch to fix the problem:
> > http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
> > and this patch to include the fix in coreutils and a small test case:
> > http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872
> >
> > Can a CVE please be assigned for this issue.

Use CVE-2014-9471.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]