Gentle ping on this.
On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote: > Fiedler Roman discovered that coreutils' parse_datetime() function > has some flaws that may be exploitable if the date(1), touch(1), > or potentially other programs, accept untrusted input for certain > parameters. While researching this issue, he discovered that it > was independently discovered by Bertrand Jacquin and reported at > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872 > > $ touch '--date=TZ="123"345" @1' > *** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 *** > Aborted > > $ date '--date=TZ="123"345" @1' > date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8 > error 4 in libc-2.20.so[7f6dd5af7000+199000] > Segmentation fault > > Signed-off-by: Maxin B. John <maxin.j...@enea.com> > --- > .../coreutils/coreutils-8.22/date-tz-crash.patch | 43 > ++++++++++++++++++++++ > meta/recipes-core/coreutils/coreutils_8.22.bb | 1 + > 2 files changed, 44 insertions(+) > create mode 100644 > meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch > > diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch > b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch > new file mode 100644 > index 0000000..570e4fd > --- /dev/null > +++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch > @@ -0,0 +1,43 @@ > +This was reported in http://bugs.gnu.org/16872 > +from the coreutils command: date -d 'TZ="""' > + > +The infinite loop for this case was present since the > +initial TZ="" parsing support in commit de95bdc2 29-10-2004. > +This was changed to a crash or heap corruption depending > +on the platform with commit 2e3e4195 18-01-2010. > + > +* lib/parse-datetime.y (parse_datetime): Break out of the > +TZ="" parsing loop once the second significant " is found. > +Also skip over any subsequent whitespace to be consistent > +with the non TZ= case. > + > +Fixes: CVE-2014-9471 > + > +Upstream-Status: backport > + > +Signed-off-by: Maxin B. John <maxin.j...@enea.com> > +Signed-off-by: Pádraig Brady <p...@draigbrady.com> > +--- > +diff -Naur coreutils-8.22-origin/lib/parse-datetime.y > coreutils-8.22/lib/parse-datetime.y > +--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 > 15:53:33.000000000 +0100 > ++++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 > +0100 > +@@ -1303,8 +1303,6 @@ > + char tz1buf[TZBUFSIZE]; > + bool large_tz = TZBUFSIZE < tzsize; > + bool setenv_ok; > +- /* Free tz0, in case this is the 2nd or subsequent time > through. */ > +- free (tz0); > + tz0 = get_tz (tz0buf); > + z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf; > + for (s = tzbase; *s != '"'; s++) > +@@ -1317,6 +1315,10 @@ > + goto fail; > + tz_was_altered = true; > + p = s + 1; > ++ while (c = *p, c_isspace (c)) > ++ p++; > ++ > ++ break; > + } > + } > + > diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb > b/meta/recipes-core/coreutils/coreutils_8.22.bb > index f85baca..4a1aee6 100644 > --- a/meta/recipes-core/coreutils/coreutils_8.22.bb > +++ b/meta/recipes-core/coreutils/coreutils_8.22.bb > @@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ > file://dummy_help2man.patch \ > file://fix-for-dummy-man-usage.patch \ > file://fix-selinux-flask.patch \ > + file://date-tz-crash.patch \ > " > > SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2" > -- > 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
