* [dizzy][PATCH] coreutils: Fix CVE-2014-9471
@ 2015-01-07 12:11 Maxin B. John
2015-01-19 13:57 ` Maxin B. John
0 siblings, 1 reply; 5+ messages in thread
From: Maxin B. John @ 2015-01-07 12:11 UTC (permalink / raw)
To: openembedded-core; +Cc: Maxin B. John
Fiedler Roman discovered that coreutils' parse_datetime() function
has some flaws that may be exploitable if the date(1), touch(1),
or potentially other programs, accept untrusted input for certain
parameters. While researching this issue, he discovered that it
was independently discovered by Bertrand Jacquin and reported at
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
$ touch '--date=TZ="123"345" @1'
*** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 ***
Aborted
$ date '--date=TZ="123"345" @1'
date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8
error 4 in libc-2.20.so[7f6dd5af7000+199000]
Segmentation fault
Signed-off-by: Maxin B. John <maxin.john@enea.com>
---
.../coreutils/coreutils-8.22/date-tz-crash.patch | 43 ++++++++++++++++++++++
meta/recipes-core/coreutils/coreutils_8.22.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
new file mode 100644
index 0000000..570e4fd
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
@@ -0,0 +1,43 @@
+This was reported in http://bugs.gnu.org/16872
+from the coreutils command: date -d 'TZ="""'
+
+The infinite loop for this case was present since the
+initial TZ="" parsing support in commit de95bdc2 29-10-2004.
+This was changed to a crash or heap corruption depending
+on the platform with commit 2e3e4195 18-01-2010.
+
+* lib/parse-datetime.y (parse_datetime): Break out of the
+TZ="" parsing loop once the second significant " is found.
+Also skip over any subsequent whitespace to be consistent
+with the non TZ= case.
+
+Fixes: CVE-2014-9471
+
+Upstream-Status: backport
+
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+Signed-off-by: Pádraig Brady <P@draigBrady.com>
+---
+diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
+--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
++++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 +0100
+@@ -1303,8 +1303,6 @@
+ char tz1buf[TZBUFSIZE];
+ bool large_tz = TZBUFSIZE < tzsize;
+ bool setenv_ok;
+- /* Free tz0, in case this is the 2nd or subsequent time through. */
+- free (tz0);
+ tz0 = get_tz (tz0buf);
+ z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
+ for (s = tzbase; *s != '"'; s++)
+@@ -1317,6 +1315,10 @@
+ goto fail;
+ tz_was_altered = true;
+ p = s + 1;
++ while (c = *p, c_isspace (c))
++ p++;
++
++ break;
+ }
+ }
+
diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
index f85baca..4a1aee6 100644
--- a/meta/recipes-core/coreutils/coreutils_8.22.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
file://dummy_help2man.patch \
file://fix-for-dummy-man-usage.patch \
file://fix-selinux-flask.patch \
+ file://date-tz-crash.patch \
"
SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [dizzy][PATCH] coreutils: Fix CVE-2014-9471
2015-01-07 12:11 [dizzy][PATCH] coreutils: Fix CVE-2014-9471 Maxin B. John
@ 2015-01-19 13:57 ` Maxin B. John
2015-01-20 16:00 ` Burton, Ross
2015-01-20 16:08 ` akuster808
0 siblings, 2 replies; 5+ messages in thread
From: Maxin B. John @ 2015-01-19 13:57 UTC (permalink / raw)
To: openembedded-core
Gentle ping on this.
On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote:
> Fiedler Roman discovered that coreutils' parse_datetime() function
> has some flaws that may be exploitable if the date(1), touch(1),
> or potentially other programs, accept untrusted input for certain
> parameters. While researching this issue, he discovered that it
> was independently discovered by Bertrand Jacquin and reported at
> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>
> $ touch '--date=TZ="123"345" @1'
> *** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 ***
> Aborted
>
> $ date '--date=TZ="123"345" @1'
> date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8
> error 4 in libc-2.20.so[7f6dd5af7000+199000]
> Segmentation fault
>
> Signed-off-by: Maxin B. John <maxin.john@enea.com>
> ---
> .../coreutils/coreutils-8.22/date-tz-crash.patch | 43 ++++++++++++++++++++++
> meta/recipes-core/coreutils/coreutils_8.22.bb | 1 +
> 2 files changed, 44 insertions(+)
> create mode 100644 meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>
> diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
> new file mode 100644
> index 0000000..570e4fd
> --- /dev/null
> +++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
> @@ -0,0 +1,43 @@
> +This was reported in http://bugs.gnu.org/16872
> +from the coreutils command: date -d 'TZ="""'
> +
> +The infinite loop for this case was present since the
> +initial TZ="" parsing support in commit de95bdc2 29-10-2004.
> +This was changed to a crash or heap corruption depending
> +on the platform with commit 2e3e4195 18-01-2010.
> +
> +* lib/parse-datetime.y (parse_datetime): Break out of the
> +TZ="" parsing loop once the second significant " is found.
> +Also skip over any subsequent whitespace to be consistent
> +with the non TZ= case.
> +
> +Fixes: CVE-2014-9471
> +
> +Upstream-Status: backport
> +
> +Signed-off-by: Maxin B. John <maxin.john@enea.com>
> +Signed-off-by: Pádraig Brady <P@draigBrady.com>
> +---
> +diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
> +--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
> ++++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 +0100
> +@@ -1303,8 +1303,6 @@
> + char tz1buf[TZBUFSIZE];
> + bool large_tz = TZBUFSIZE < tzsize;
> + bool setenv_ok;
> +- /* Free tz0, in case this is the 2nd or subsequent time through. */
> +- free (tz0);
> + tz0 = get_tz (tz0buf);
> + z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
> + for (s = tzbase; *s != '"'; s++)
> +@@ -1317,6 +1315,10 @@
> + goto fail;
> + tz_was_altered = true;
> + p = s + 1;
> ++ while (c = *p, c_isspace (c))
> ++ p++;
> ++
> ++ break;
> + }
> + }
> +
> diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
> index f85baca..4a1aee6 100644
> --- a/meta/recipes-core/coreutils/coreutils_8.22.bb
> +++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
> @@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
> file://dummy_help2man.patch \
> file://fix-for-dummy-man-usage.patch \
> file://fix-selinux-flask.patch \
> + file://date-tz-crash.patch \
> "
>
> SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
> --
> 1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dizzy][PATCH] coreutils: Fix CVE-2014-9471
2015-01-19 13:57 ` Maxin B. John
@ 2015-01-20 16:00 ` Burton, Ross
2015-01-20 17:28 ` Maxin B. John
2015-01-20 16:08 ` akuster808
1 sibling, 1 reply; 5+ messages in thread
From: Burton, Ross @ 2015-01-20 16:00 UTC (permalink / raw)
To: Maxin B. John; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 658 bytes --]
On 19 January 2015 at 13:57, Maxin B. John <maxin.john@enea.com> wrote:
> On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote:
> > Fiedler Roman discovered that coreutils' parse_datetime() function
> > has some flaws that may be exploitable if the date(1), touch(1),
> > or potentially other programs, accept untrusted input for certain
> > parameters. While researching this issue, he discovered that it
> > was independently discovered by Bertrand Jacquin and reported at
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
> >
>
Was this bug still in 8.23 so it needs to be applied to master, or is it
dizzy-specific?
Ross
[-- Attachment #2: Type: text/html, Size: 1162 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dizzy][PATCH] coreutils: Fix CVE-2014-9471
2015-01-19 13:57 ` Maxin B. John
2015-01-20 16:00 ` Burton, Ross
@ 2015-01-20 16:08 ` akuster808
1 sibling, 0 replies; 5+ messages in thread
From: akuster808 @ 2015-01-20 16:08 UTC (permalink / raw)
To: Maxin B. John, openembedded-core
thanks for the reminder.
merged into my staging for dizzy-next
- armin
On 01/19/2015 05:57 AM, Maxin B. John wrote:
> Gentle ping on this.
>
> On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote:
>> Fiedler Roman discovered that coreutils' parse_datetime() function
>> has some flaws that may be exploitable if the date(1), touch(1),
>> or potentially other programs, accept untrusted input for certain
>> parameters. While researching this issue, he discovered that it
>> was independently discovered by Bertrand Jacquin and reported at
>> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>>
>> $ touch '--date=TZ="123"345" @1'
>> *** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 ***
>> Aborted
>>
>> $ date '--date=TZ="123"345" @1'
>> date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8
>> error 4 in libc-2.20.so[7f6dd5af7000+199000]
>> Segmentation fault
>>
>> Signed-off-by: Maxin B. John <maxin.john@enea.com>
>> ---
>> .../coreutils/coreutils-8.22/date-tz-crash.patch | 43 ++++++++++++++++++++++
>> meta/recipes-core/coreutils/coreutils_8.22.bb | 1 +
>> 2 files changed, 44 insertions(+)
>> create mode 100644 meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>>
>> diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>> new file mode 100644
>> index 0000000..570e4fd
>> --- /dev/null
>> +++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
>> @@ -0,0 +1,43 @@
>> +This was reported in http://bugs.gnu.org/16872
>> +from the coreutils command: date -d 'TZ="""'
>> +
>> +The infinite loop for this case was present since the
>> +initial TZ="" parsing support in commit de95bdc2 29-10-2004.
>> +This was changed to a crash or heap corruption depending
>> +on the platform with commit 2e3e4195 18-01-2010.
>> +
>> +* lib/parse-datetime.y (parse_datetime): Break out of the
>> +TZ="" parsing loop once the second significant " is found.
>> +Also skip over any subsequent whitespace to be consistent
>> +with the non TZ= case.
>> +
>> +Fixes: CVE-2014-9471
>> +
>> +Upstream-Status: backport
>> +
>> +Signed-off-by: Maxin B. John <maxin.john@enea.com>
>> +Signed-off-by: Pádraig Brady <P@draigBrady.com>
>> +---
>> +diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
>> +--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
>> ++++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 +0100
>> +@@ -1303,8 +1303,6 @@
>> + char tz1buf[TZBUFSIZE];
>> + bool large_tz = TZBUFSIZE < tzsize;
>> + bool setenv_ok;
>> +- /* Free tz0, in case this is the 2nd or subsequent time through. */
>> +- free (tz0);
>> + tz0 = get_tz (tz0buf);
>> + z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
>> + for (s = tzbase; *s != '"'; s++)
>> +@@ -1317,6 +1315,10 @@
>> + goto fail;
>> + tz_was_altered = true;
>> + p = s + 1;
>> ++ while (c = *p, c_isspace (c))
>> ++ p++;
>> ++
>> ++ break;
>> + }
>> + }
>> +
>> diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
>> index f85baca..4a1aee6 100644
>> --- a/meta/recipes-core/coreutils/coreutils_8.22.bb
>> +++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
>> @@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
>> file://dummy_help2man.patch \
>> file://fix-for-dummy-man-usage.patch \
>> file://fix-selinux-flask.patch \
>> + file://date-tz-crash.patch \
>> "
>>
>> SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
>> --
>> 1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dizzy][PATCH] coreutils: Fix CVE-2014-9471
2015-01-20 16:00 ` Burton, Ross
@ 2015-01-20 17:28 ` Maxin B. John
0 siblings, 0 replies; 5+ messages in thread
From: Maxin B. John @ 2015-01-20 17:28 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
Hi Ross,
On Tue, Jan 20, 2015 at 04:00:02PM +0000, Burton, Ross wrote:
>
> On 19 January 2015 at 13:57, Maxin B. John <maxin.john@enea.com> wrote:
>
> On Wed, Jan 07, 2015 at 01:11:43PM +0100, Maxin B. John wrote:
> > Fiedler Roman discovered that coreutils' parse_datetime() function
> > has some flaws that may be exploitable if the date(1), touch(1),
> > or potentially other programs, accept untrusted input for certain
> > parameters. While researching this issue, he discovered that it
> > was independently discovered by Bertrand Jacquin and reported at
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
> >
>
>
> Was this bug still in 8.23 so it needs to be applied to master, or is it
> dizzy-specific?
This bug is already fixed in 8.23. So, we don't have to apply this on
master.
> Ross
Best Regards,
Maxin
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-01-20 17:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-07 12:11 [dizzy][PATCH] coreutils: Fix CVE-2014-9471 Maxin B. John
2015-01-19 13:57 ` Maxin B. John
2015-01-20 16:00 ` Burton, Ross
2015-01-20 17:28 ` Maxin B. John
2015-01-20 16:08 ` akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox