Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Nov 2014 18:47:24 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Fiedler Roman <Roman.Fiedler@....ac.at>, security@...ntu.com
Subject: parse_datetime() bug in coreutils

Hello,

Fiedler Roman discovered that coreutils' parse_datetime() function
has some flaws that may be exploitable if the date(1), touch(1),
or potentially other programs, accept untrusted input for certain
parameters. While researching this issue, he discovered that it
was independantly discovered by Bertrand Jacquin and reported at
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872

$ touch '--date=TZ="123"345" @1'
Segmentation fault (core dumped)
$ date '--date=TZ="123"345" @1'
*** Error in `date': double free or corruption (out): 0x00007fffc9866c20 ***
Aborted (core dumped)
$

The GNU bugtracker has this patch to fix the problem:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
and this patch to include the fix in coreutils and a small test case:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872

Can a CVE please be assigned for this issue.

(Incidentally, that's some hairy-looking code; someone with time and an
inclination to join Hanno's fuzzing project might find it a fruitful
starting point.)

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.