[OE-core] [dizzy][PATCH] coreutils: Fix CVE-2014-9471
akuster808
akuster808 at gmail.com
Tue Jan 20 16:08:36 UTC 2015
thanks for the reminder.
merged into my staging for dizzy-next
- armin
On 01/19/2015 05:57 AM, Maxin B. John wrote:
> Gentle ping on this.
>
> On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote:
>> Fiedler Roman discovered that coreutils' parse_datetime() function
>> has some flaws that may be exploitable if the date(1), touch(1),
>> or potentially other programs, accept untrusted input for certain
>> parameters. While researching this issue, he discovered that it
>> was independently discovered by Bertrand Jacquin and reported at
>> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>>
>> $ touch '--date=TZ="123"345" @1'
>> *** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 ***
>> Aborted
>>
>> $ date '--date=TZ="123"345" @1'
>> date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8
>> error 4 in libc-2.20.so[7f6dd5af7000+199000]
>> Segmentation fault
>>
>> Signed-off-by: Maxin B. John <maxin.john at enea.com>
>> ---
>> .../coreutils/coreutils-8.22/date-tz-crash.patch | 43 ++++++++++++++++++++++
>> meta/recipes-core/coreutils/coreutils_8.22.bb | 1 +
>> 2 files changed, 44 insertions(+)
>> create mode 100644 meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>>
>> diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>> new file mode 100644
>> index 0000000..570e4fd
>> --- /dev/null
>> +++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>> @@ -0,0 +1,43 @@
>> +This was reported in http://bugs.gnu.org/16872
>> +from the coreutils command: date -d 'TZ="""'
>> +
>> +The infinite loop for this case was present since the
>> +initial TZ="" parsing support in commit de95bdc2 29-10-2004.
>> +This was changed to a crash or heap corruption depending
>> +on the platform with commit 2e3e4195 18-01-2010.
>> +
>> +* lib/parse-datetime.y (parse_datetime): Break out of the
>> +TZ="" parsing loop once the second significant " is found.
>> +Also skip over any subsequent whitespace to be consistent
>> +with the non TZ= case.
>> +
>> +Fixes: CVE-2014-9471
>> +
>> +Upstream-Status: backport
>> +
>> +Signed-off-by: Maxin B. John <maxin.john at enea.com>
>> +Signed-off-by: Pádraig Brady <P at draigBrady.com>
>> +---
>> +diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
>> +--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
>> ++++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 +0100
>> +@@ -1303,8 +1303,6 @@
>> + char tz1buf[TZBUFSIZE];
>> + bool large_tz = TZBUFSIZE < tzsize;
>> + bool setenv_ok;
>> +- /* Free tz0, in case this is the 2nd or subsequent time through. */
>> +- free (tz0);
>> + tz0 = get_tz (tz0buf);
>> + z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
>> + for (s = tzbase; *s != '"'; s++)
>> +@@ -1317,6 +1315,10 @@
>> + goto fail;
>> + tz_was_altered = true;
>> + p = s + 1;
>> ++ while (c = *p, c_isspace (c))
>> ++ p++;
>> ++
>> ++ break;
>> + }
>> + }
>> +
>> diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
>> index f85baca..4a1aee6 100644
>> --- a/meta/recipes-core/coreutils/coreutils_8.22.bb
>> +++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
>> @@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
>> file://dummy_help2man.patch \
>> file://fix-for-dummy-man-usage.patch \
>> file://fix-selinux-flask.patch \
>> + file://date-tz-crash.patch \
>> "
>>
>> SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
>> --
>> 1.9.1
More information about the Openembedded-core
mailing list