Upstream-Status: Backport
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
diff -ruN a/ChangeLog b/ChangeLog
--- a/ChangeLog	2013-12-13 16:20:00.000000000 +0100
+++ b/ChangeLog	2015-02-26 09:24:10.640577829 +0100
@@ -1,3 +1,11 @@
+2014-02-25  Sona Sarmadi <sona.sarmadi@enea.com>
+
+       parse-datetime: fix crash or infloop in TZ="" parsing
+       * lib/parse-datetime.y (parse_datetime): Break out of the
+       TZ="" parsing loop once the second significant " is found.
+       Also skip over any subsequent whitespace to be consistent
+       with the non TZ= case (CVE-2014-9471)
+
 2013-12-13  Pádraig Brady  <P@draigBrady.com>
 
 	version 8.22
diff -ruN a/lib/parse-datetime.y b/lib/parse-datetime.y
--- a/lib/parse-datetime.y	2013-12-04 15:53:33.000000000 +0100
+++ b/lib/parse-datetime.y	2015-02-26 09:20:15.238528670 +0100
@@ -1303,8 +1303,6 @@
             char tz1buf[TZBUFSIZE];
             bool large_tz = TZBUFSIZE < tzsize;
             bool setenv_ok;
-            /* Free tz0, in case this is the 2nd or subsequent time through. */
-            free (tz0);
             tz0 = get_tz (tz0buf);
             z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
             for (s = tzbase; *s != '"'; s++)
@@ -1316,7 +1314,12 @@
             if (!setenv_ok)
               goto fail;
             tz_was_altered = true;
+
             p = s + 1;
+            while (c = *p, c_isspace (c))
+              p++;
+
+            break;
           }
     }