summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorMaxin B. John <maxin.john@enea.com>2015-01-07 13:11:43 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-02-11 17:40:04 +0000
commitde512045185dd8ac9b2bb2cbb189809d49006189 (patch)
tree9a9c97124942af83001ef1ad90e2efd528fb77b6 /meta/recipes-core
parenteed2260137e84e176da67014649626bcdd3af265 (diff)
downloadpoky-de512045185dd8ac9b2bb2cbb189809d49006189.tar.gz
coreutils: Fix CVE-2014-9471
Fiedler Roman discovered that coreutils' parse_datetime() function has some flaws that may be exploitable if the date(1), touch(1), or potentially other programs, accept untrusted input for certain parameters. While researching this issue, he discovered that it was independently discovered by Bertrand Jacquin and reported at http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872 $ touch '--date=TZ="123"345" @1' *** Error in `touch': free(): invalid pointer: 0x00007fffd33e55e0 *** Aborted $ date '--date=TZ="123"345" @1' date[394]: segfault at 7fff24000000 ip 00007f6dd5b73404 sp 00007fff27cce8f8 error 4 in libc-2.20.so[7f6dd5af7000+199000] Segmentation fault (From OE-Core rev: 54debe63cbd38dba56895541c434f895e158f70b) Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch43
-rw-r--r--meta/recipes-core/coreutils/coreutils_8.22.bb1
2 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
new file mode 100644
index 0000000000..570e4fd49c
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils-8.22/date-tz-crash.patch
@@ -0,0 +1,43 @@
1This was reported in http://bugs.gnu.org/16872
2from the coreutils command: date -d 'TZ="""'
3
4The infinite loop for this case was present since the
5initial TZ="" parsing support in commit de95bdc2 29-10-2004.
6This was changed to a crash or heap corruption depending
7on the platform with commit 2e3e4195 18-01-2010.
8
9* lib/parse-datetime.y (parse_datetime): Break out of the
10TZ="" parsing loop once the second significant " is found.
11Also skip over any subsequent whitespace to be consistent
12with the non TZ= case.
13
14Fixes: CVE-2014-9471
15
16Upstream-Status: backport
17
18Signed-off-by: Maxin B. John <maxin.john@enea.com>
19Signed-off-by: Pádraig Brady <P@draigBrady.com>
20---
21diff -Naur coreutils-8.22-origin/lib/parse-datetime.y coreutils-8.22/lib/parse-datetime.y
22--- coreutils-8.22-origin/lib/parse-datetime.y 2013-12-04 15:53:33.000000000 +0100
23+++ coreutils-8.22/lib/parse-datetime.y 2015-01-05 17:11:16.754358184 +0100
24@@ -1303,8 +1303,6 @@
25 char tz1buf[TZBUFSIZE];
26 bool large_tz = TZBUFSIZE < tzsize;
27 bool setenv_ok;
28- /* Free tz0, in case this is the 2nd or subsequent time through. */
29- free (tz0);
30 tz0 = get_tz (tz0buf);
31 z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
32 for (s = tzbase; *s != '"'; s++)
33@@ -1317,6 +1315,10 @@
34 goto fail;
35 tz_was_altered = true;
36 p = s + 1;
37+ while (c = *p, c_isspace (c))
38+ p++;
39+
40+ break;
41 }
42 }
43
diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
index f85bacabd3..4a1aee6260 100644
--- a/meta/recipes-core/coreutils/coreutils_8.22.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
17 file://dummy_help2man.patch \ 17 file://dummy_help2man.patch \
18 file://fix-for-dummy-man-usage.patch \ 18 file://fix-for-dummy-man-usage.patch \
19 file://fix-selinux-flask.patch \ 19 file://fix-selinux-flask.patch \
20 file://date-tz-crash.patch \
20 " 21 "
21 22
22SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2" 23SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"