Re: [dizzy][PATCH] coreutils: Fix CVE-2014-9471

[akuster808 <akuster808@gmail.com>]

thanks for the reminder.

merged into my staging for dizzy-next

- armin

On 01/19/2015 05:57 AM, Maxin B. John wrote:
> Gentle ping on this.
>
> On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote:
>> Fiedler Roman discovered that coreutils' parse_datetime() function
>> has some flaws that may be exploitable if the date(1), touch(1),
>> or potentially other programs, accept untrusted input for certain
>> parameters. While researching this issue, he discovered that it
>> was independently discovered by Bertrand Jacquin and reported at
>> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>>
>> $ touch '--date=TZ="123"345" @1'
>> *** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 ***
>> Aborted
>>
>> $ date '--date=TZ="123"345" @1'
>> date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8
>> error 4 in libc-2.20.so[7f6dd5af7000+199000]
>> Segmentation fault
>>
>> Signed-off-by: Maxin B. John <maxin.john@enea.com>
>> ---
>>   .../coreutils/coreutils-8.22/date-tz-crash.patch   | 43 ++++++++++++++++++++++
>>   meta/recipes-core/coreutils/coreutils_8.22.bb      |  1 +
>>   2 files changed, 44 insertions(+)
>>   create mode 100644 meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>>
>> diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>> new file mode 100644
>> index 0000000..570e4fd
>> --- /dev/null
>> +++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>> @@ -0,0 +1,43 @@
>> +This was reported in http://bugs.gnu.org/16872
>> +from the coreutils command: date -d 'TZ="""'
>> +
>> +The infinite loop for this case was present since the
>> +initial TZ="" parsing support in commit de95bdc2 29-10-2004.
>> +This was changed to a crash or heap corruption depending
>> +on the platform with commit 2e3e4195 18-01-2010.
>> +
>> +* lib/parse-datetime.y (parse_datetime): Break out of the
>> +TZ="" parsing loop once the second significant " is found.
>> +Also skip over any subsequent whitespace to be consistent
>> +with the non TZ= case.
>> +
>> +Fixes: CVE-2014-9471
>> +
>> +Upstream-Status: backport
>> +
>> +Signed-off-by: Maxin B. John <maxin.john@enea.com>
>> +Signed-off-by: Pádraig Brady <P@draigBrady.com>
>> +---
>> +diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
>> +--- coreutils-8.22-origin/lib/parse-datetime.y	2013-12-04 15:53:33.000000000 +0100
>> ++++ coreutils-8.22/lib/parse-datetime.y	2015-01-05 17:11:16.754358184 +0100
>> +@@ -1303,8 +1303,6 @@
>> +             char tz1buf[TZBUFSIZE];
>> +             bool large_tz = TZBUFSIZE < tzsize;
>> +             bool setenv_ok;
>> +-            /* Free tz0, in case this is the 2nd or subsequent time through. */
>> +-            free (tz0);
>> +             tz0 = get_tz (tz0buf);
>> +             z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
>> +             for (s = tzbase; *s != '"'; s++)
>> +@@ -1317,6 +1315,10 @@
>> +               goto fail;
>> +             tz_was_altered = true;
>> +             p = s + 1;
>> ++            while (c = *p, c_isspace (c))
>> ++              p++;
>> ++
>> ++            break;
>> +           }
>> +     }
>> +
>> diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
>> index f85baca..4a1aee6 100644
>> --- a/meta/recipes-core/coreutils/coreutils_8.22.bb
>> +++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
>> @@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
>>              file://dummy_help2man.patch \
>>              file://fix-for-dummy-man-usage.patch \
>>              file://fix-selinux-flask.patch \
>> +           file://date-tz-crash.patch \
>>             "
>>
>>   SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
>> --
>> 1.9.1