[OE-core] [dizzy][PATCH] coreutils: Fix CVE-2014-9471
Maxin B. John
maxin.john at enea.com
Mon Jan 19 13:57:10 UTC 2015
Gentle ping on this.
On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote:
> Fiedler Roman discovered that coreutils' parse_datetime() function
> has some flaws that may be exploitable if the date(1), touch(1),
> or potentially other programs, accept untrusted input for certain
> parameters. While researching this issue, he discovered that it
> was independently discovered by Bertrand Jacquin and reported at
> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>
> $ touch '--date=TZ="123"345" @1'
> *** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 ***
> Aborted
>
> $ date '--date=TZ="123"345" @1'
> date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8
> error 4 in libc-2.20.so[7f6dd5af7000+199000]
> Segmentation fault
>
> Signed-off-by: Maxin B. John <maxin.john at enea.com>
> ---
> .../coreutils/coreutils-8.22/date-tz-crash.patch | 43 ++++++++++++++++++++++
> meta/recipes-core/coreutils/coreutils_8.22.bb | 1 +
> 2 files changed, 44 insertions(+)
> create mode 100644 meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>
> diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
> new file mode 100644
> index 0000000..570e4fd
> --- /dev/null
> +++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
> @@ -0,0 +1,43 @@
> +This was reported in http://bugs.gnu.org/16872
> +from the coreutils command: date -d 'TZ="""'
> +
> +The infinite loop for this case was present since the
> +initial TZ="" parsing support in commit de95bdc2 29-10-2004.
> +This was changed to a crash or heap corruption depending
> +on the platform with commit 2e3e4195 18-01-2010.
> +
> +* lib/parse-datetime.y (parse_datetime): Break out of the
> +TZ="" parsing loop once the second significant " is found.
> +Also skip over any subsequent whitespace to be consistent
> +with the non TZ= case.
> +
> +Fixes: CVE-2014-9471
> +
> +Upstream-Status: backport
> +
> +Signed-off-by: Maxin B. John <maxin.john at enea.com>
> +Signed-off-by: Pádraig Brady <P at draigBrady.com>
> +---
> +diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
> +--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
> ++++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 +0100
> +@@ -1303,8 +1303,6 @@
> + char tz1buf[TZBUFSIZE];
> + bool large_tz = TZBUFSIZE < tzsize;
> + bool setenv_ok;
> +- /* Free tz0, in case this is the 2nd or subsequent time through. */
> +- free (tz0);
> + tz0 = get_tz (tz0buf);
> + z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
> + for (s = tzbase; *s != '"'; s++)
> +@@ -1317,6 +1315,10 @@
> + goto fail;
> + tz_was_altered = true;
> + p = s + 1;
> ++ while (c = *p, c_isspace (c))
> ++ p++;
> ++
> ++ break;
> + }
> + }
> +
> diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
> index f85baca..4a1aee6 100644
> --- a/meta/recipes-core/coreutils/coreutils_8.22.bb
> +++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
> @@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
> file://dummy_help2man.patch \
> file://fix-for-dummy-man-usage.patch \
> file://fix-selinux-flask.patch \
> + file://date-tz-crash.patch \
> "
>
> SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
> --
> 1.9.1
More information about the Openembedded-core
mailing list