coreutils: parse-datetime: CVE-2014-9471

Memory corruption flaw in parse_datetime() Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9471 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-02-26 09:31:12 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:38 +0200
commit: fae5298ce647241f79fa5f8bcba9d4b7caeed1b7 (patch)
tree: f71d040396efe5d9bfbd5be14cb7f459ac3a2ec8
parent: 7247ad93ebeeb15defb0b57f4c95c0a0464c2cb8 (diff)
download: poky-fae5298ce647241f79fa5f8bcba9d4b7caeed1b7.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch b/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch
new file mode 100644
index 0000000000..d01bf06e0c
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch
@@ -0,0 +1,40 @@
+diff -ruN a/ChangeLog b/ChangeLog
+--- a/ChangeLog 2013-12-13 16:20:00.000000000 +0100
+++ b/ChangeLog 2015-02-26 09:24:10.640577829 +0100
+@@ -1,3 +1,11 @@
+2014-02-25  Sona Sarmadi <sona.sarmadi@enea.com>
+
+       parse-datetime: fix crash or infloop in TZ="" parsing
+       * lib/parse-datetime.y (parse_datetime): Break out of the
+       TZ="" parsing loop once the second significant " is found.
+       Also skip over any subsequent whitespace to be consistent
+       with the non TZ= case (CVE-2014-9471)
+
+ 2013-12-13  Pádraig Brady  <P@draigBrady.com>
+ 
+        version 8.22
+diff -ruN a/lib/parse-datetime.y b/lib/parse-datetime.y
+--- a/lib/parse-datetime.y      2013-12-04 15:53:33.000000000 +0100
+++ b/lib/parse-datetime.y      2015-02-26 09:20:15.238528670 +0100
+@@ -1303,8 +1303,6 @@
+             char tz1buf[TZBUFSIZE];
+             bool large_tz = TZBUFSIZE < tzsize;
+             bool setenv_ok;
+-            /* Free tz0, in case this is the 2nd or subsequent time through. */
+-            free (tz0);
+             tz0 = get_tz (tz0buf);
+             z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
+             for (s = tzbase; *s != '"'; s++)
+@@ -1316,7 +1314,12 @@
+             if (!setenv_ok)
+               goto fail;
+             tz_was_altered = true;
+
+             p = s + 1;
+            while (c = *p, c_isspace (c))
+              p++;
+
+            break;
+           }
+     }
+ 
diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
index ba3a0a0228..9746683b64 100644
--- a/meta/recipes-core/coreutils/coreutils_8.22.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
           file://remove-usr-local-lib-from-m4.patch \
           file://dummy_help2man.patch \
           file://fix-for-dummy-man-usage.patch \
+           file://parse-datetime-CVE-2014-9471.patch \
          "
 SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-02-26 09:31:12 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:38 +0200
commit	fae5298ce647241f79fa5f8bcba9d4b7caeed1b7 (patch)
tree	f71d040396efe5d9bfbd5be14cb7f459ac3a2ec8
parent	7247ad93ebeeb15defb0b57f4c95c0a0464c2cb8 (diff)
download	poky-fae5298ce647241f79fa5f8bcba9d4b7caeed1b7.tar.gz

diff --git a/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch b/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch new file mode 100644 index 0000000000..d01bf06e0c --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch
@@ -0,0 +1,40 @@
		1	diff -ruN a/ChangeLog b/ChangeLog
		2	--- a/ChangeLog 2013-12-13 16:20:00.000000000 +0100
		3	+++ b/ChangeLog 2015-02-26 09:24:10.640577829 +0100
		4	@@ -1,3 +1,11 @@
		5	+2014-02-25 Sona Sarmadi <sona.sarmadi@enea.com>
		6	+
		7	+ parse-datetime: fix crash or infloop in TZ="" parsing
		8	+ * lib/parse-datetime.y (parse_datetime): Break out of the
		9	+ TZ="" parsing loop once the second significant " is found.
		10	+ Also skip over any subsequent whitespace to be consistent
		11	+ with the non TZ= case (CVE-2014-9471)
		12	+
		13	2013-12-13 Pádraig Brady <P@draigBrady.com>
		14
		15	version 8.22
		16	diff -ruN a/lib/parse-datetime.y b/lib/parse-datetime.y
		17	--- a/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
		18	+++ b/lib/parse-datetime.y 2015-02-26 09:20:15.238528670 +0100
		19	@@ -1303,8 +1303,6 @@
		20	char tz1buf[TZBUFSIZE];
		21	bool large_tz = TZBUFSIZE < tzsize;
		22	bool setenv_ok;
		23	- /* Free tz0, in case this is the 2nd or subsequent time through. */
		24	- free (tz0);
		25	tz0 = get_tz (tz0buf);
		26	z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
		27	for (s = tzbase; *s != '"'; s++)
		28	@@ -1316,7 +1314,12 @@
		29	if (!setenv_ok)
		30	goto fail;
		31	tz_was_altered = true;
		32	+
		33	p = s + 1;
		34	+ while (c = *p, c_isspace (c))
		35	+ p++;
		36	+
		37	+ break;
		38	}
		39	}
		40


diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb index ba3a0a0228..9746683b64 100644 --- a/meta/recipes-core/coreutils/coreutils_8.22.bb +++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
16	file://remove-usr-local-lib-from-m4.patch \	16	file://remove-usr-local-lib-from-m4.patch \
17	file://dummy_help2man.patch \	17	file://dummy_help2man.patch \
18	file://fix-for-dummy-man-usage.patch \	18	file://fix-for-dummy-man-usage.patch \
		19	file://parse-datetime-CVE-2014-9471.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"	22	SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"