Date: Mon, 24 Nov 2014 18:47:24 -0800 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Cc: Fiedler Roman <Roman.Fiedler@....ac.at>, security@...ntu.com Subject: parse_datetime() bug in coreutils Hello, Fiedler Roman discovered that coreutils' parse_datetime() function has some flaws that may be exploitable if the date(1), touch(1), or potentially other programs, accept untrusted input for certain parameters. While researching this issue, he discovered that it was independantly discovered by Bertrand Jacquin and reported at http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872 $ touch '--date=TZ="123"345" @1' Segmentation fault (core dumped) $ date '--date=TZ="123"345" @1' *** Error in `date': double free or corruption (out): 0x00007fffc9866c20 *** Aborted (core dumped) $ The GNU bugtracker has this patch to fix the problem: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872 and this patch to include the fix in coreutils and a small test case: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872 Can a CVE please be assigned for this issue. (Incidentally, that's some hairy-looking code; someone with time and an inclination to join Hanno's fuzzing project might find it a fruitful starting point.) Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.