[oe-commits] Maxin B. John : coreutils: Fix CVE-2014-9471
git at git.openembedded.org
git at git.openembedded.org
Wed Feb 11 17:40:36 UTC 2015
Module: openembedded-core.git
Branch: dizzy
Commit: 54debe63cbd38dba56895541c434f895e158f70b
URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=54debe63cbd38dba56895541c434f895e158f70b
Author: Maxin B. John <maxin.john at enea.com>
Date: Wed Jan 7 13:11:43 2015 +0100
coreutils: Fix CVE-2014-9471
Fiedler Roman discovered that coreutils' parse_datetime() function
has some flaws that may be exploitable if the date(1), touch(1),
or potentially other programs, accept untrusted input for certain
parameters. While researching this issue, he discovered that it
was independently discovered by Bertrand Jacquin and reported at
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
$ touch '--date=TZ="123"345" @1'
*** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 ***
Aborted
$ date '--date=TZ="123"345" @1'
date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8
error 4 in libc-2.20.so[7f6dd5af7000+199000]
Segmentation fault
Signed-off-by: Maxin B. John <maxin.john at enea.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../coreutils/coreutils-8.22/date-tz-crash.patch | 43 ++++++++++++++++++++++
meta/recipes-core/coreutils/coreutils_8.22.bb | 1 +
2 files changed, 44 insertions(+)
diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
new file mode 100644
index 0000000..570e4fd
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
@@ -0,0 +1,43 @@
+This was reported in http://bugs.gnu.org/16872
+from the coreutils command: date -d 'TZ="""'
+
+The infinite loop for this case was present since the
+initial TZ="" parsing support in commit de95bdc2 29-10-2004.
+This was changed to a crash or heap corruption depending
+on the platform with commit 2e3e4195 18-01-2010.
+
+* lib/parse-datetime.y (parse_datetime): Break out of the
+TZ="" parsing loop once the second significant " is found.
+Also skip over any subsequent whitespace to be consistent
+with the non TZ= case.
+
+Fixes: CVE-2014-9471
+
+Upstream-Status: backport
+
+Signed-off-by: Maxin B. John <maxin.john at enea.com>
+Signed-off-by: Pádraig Brady <P at draigBrady.com>
+---
+diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
+--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
++++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 +0100
+@@ -1303,8 +1303,6 @@
+ char tz1buf[TZBUFSIZE];
+ bool large_tz = TZBUFSIZE < tzsize;
+ bool setenv_ok;
+- /* Free tz0, in case this is the 2nd or subsequent time through. */
+- free (tz0);
+ tz0 = get_tz (tz0buf);
+ z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
+ for (s = tzbase; *s != '"'; s++)
+@@ -1317,6 +1315,10 @@
+ goto fail;
+ tz_was_altered = true;
+ p = s + 1;
++ while (c = *p, c_isspace (c))
++ p++;
++
++ break;
+ }
+ }
+
diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
index f85baca..4a1aee6 100644
--- a/meta/recipes-core/coreutils/coreutils_8.22.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
file://dummy_help2man.patch \
file://fix-for-dummy-man-usage.patch \
file://fix-selinux-flask.patch \
+ file://date-tz-crash.patch \
"
SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
More information about the Openembedded-commits
mailing list