GNU bug report logs -
#16872
`date -d 'TZ="America/Los_Angeles" "00:00 + 1 hour"'` crashes
Previous Next
Reported by: Mike Frysinger <vapier <at> gentoo.org>
Date: Tue, 25 Feb 2014 08:15:02 UTC
Severity: normal
Tags: fixed
Merged with 21186
Done: Assaf Gordon <assafgordon <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 16872 in the body.
You can then email your comments to 16872 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#16872; Package
coreutils.
(Tue, 25 Feb 2014 08:15:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Mike Frysinger <vapier <at> gentoo.org>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Tue, 25 Feb 2014 08:15:04 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
as reported by Bertrand Jacquin, this crashes:
$ date -d 'TZ="America/Los_Angeles" "00:00 + 1 hour"'
Segmentation fault
(gdb) bt
#0 0x00007ffff7ab1014 in __GI___libc_free (mem=0x7fffffffc8b0) at malloc.c:2942
#1 0x0000000000406730 in parse_datetime (result=result <at> entry=0x7fffffffcab0, p=<optimized out>, p <at> entry=0x7fffffffd04a "TZ=\"America/Los_Angeles\" \"00:00 + 1 hour\"", now=<optimized out>, now
@entry=0x0) at ./lib/parse-datetime.y:1307
#2 0x00000000004023c7 in main (argc=0x3, argv=0x7fffffffcc68) at src/date.c:522
that's 15fca2a02e38d69915c52ef41eee3c7d52b67f3e i happened to have already
built, but seems to reproduce easily across older versions.
-mike
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#16872; Package
coreutils.
(Tue, 25 Feb 2014 08:51:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 16872 <at> debbugs.gnu.org (full text, mbox):
On 02/25/2014 08:13 AM, Mike Frysinger wrote:
> as reported by Bertrand Jacquin, this crashes:
> $ date -d 'TZ="America/Los_Angeles" "00:00 + 1 hour"'
> Segmentation fault
>
> (gdb) bt
> #0 0x00007ffff7ab1014 in __GI___libc_free (mem=0x7fffffffc8b0) at malloc.c:2942
> #1 0x0000000000406730 in parse_datetime (result=result <at> entry=0x7fffffffcab0, p=<optimized out>, p <at> entry=0x7fffffffd04a "TZ=\"America/Los_Angeles\" \"00:00 + 1 hour\"", now=<optimized out>, now
> @entry=0x0) at ./lib/parse-datetime.y:1307
> #2 0x00000000004023c7 in main (argc=0x3, argv=0x7fffffffcc68) at src/date.c:522
>
> that's 15fca2a02e38d69915c52ef41eee3c7d52b67f3e i happened to have already
> built, but seems to reproduce easily across older versions.
> -mike
>
Ugh. Reproducible here.
I'll fix up the issue in gnulib.
thanks!
Pádraig.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#16872; Package
coreutils.
(Tue, 25 Feb 2014 11:12:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 16872 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 02/25/2014 08:50 AM, Pádraig Brady wrote:
> On 02/25/2014 08:13 AM, Mike Frysinger wrote:
>> as reported by Bertrand Jacquin, this crashes:
>> $ date -d 'TZ="America/Los_Angeles" "00:00 + 1 hour"'
>> Segmentation fault
>>
>> (gdb) bt
>> #0 0x00007ffff7ab1014 in __GI___libc_free (mem=0x7fffffffc8b0) at malloc.c:2942
>> #1 0x0000000000406730 in parse_datetime (result=result <at> entry=0x7fffffffcab0, p=<optimized out>, p <at> entry=0x7fffffffd04a "TZ=\"America/Los_Angeles\" \"00:00 + 1 hour\"", now=<optimized out>, now
>> @entry=0x0) at ./lib/parse-datetime.y:1307
>> #2 0x00000000004023c7 in main (argc=0x3, argv=0x7fffffffcc68) at src/date.c:522
>>
>> that's 15fca2a02e38d69915c52ef41eee3c7d52b67f3e i happened to have already
>> built, but seems to reproduce easily across older versions.
>> -mike
>>
>
> Ugh. Reproducible here.
> I'll fix up the issue in gnulib.
Proposed patch attached.
thanks,
Pádraig.
[date-tz-crash.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#16872; Package
coreutils.
(Thu, 27 Feb 2014 21:49:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 16872 <at> debbugs.gnu.org (full text, mbox):
On 02/25/2014 12:11 PM, Pádraig Brady wrote:
> Proposed patch attached.
parse_datetime per se is pretty ugly, however, the fix LGTM:
+1
Thanks!
Have a nice day,
Berny
Reply sent
to
Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility.
(Thu, 27 Feb 2014 23:59:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Mike Frysinger <vapier <at> gentoo.org>:
bug acknowledged by developer.
(Thu, 27 Feb 2014 23:59:03 GMT)
Full text and
rfc822 format available.
Message #19 received at 16872-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 02/27/2014 09:48 PM, Bernhard Voelker wrote:
> On 02/25/2014 12:11 PM, Pádraig Brady wrote:
>> Proposed patch attached.
>
> parse_datetime per se is pretty ugly, however, the fix LGTM:
> +1
I've pushed that to gnulib,
and the attached to coreutils.
thanks for the review,
Pádraig.
[coreutils-date-crash.patch (text/x-patch, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 28 Mar 2014 11:24:06 GMT)
Full text and
rfc822 format available.
bug unarchived.
Request was from
Eric Blake <eblake <at> redhat.com>
to
control <at> debbugs.gnu.org.
(Mon, 05 Jan 2015 17:27:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#16872; Package
coreutils.
(Mon, 05 Jan 2015 17:30:06 GMT)
Full text and
rfc822 format available.
Message #26 received at 16872 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
For informational purposes: this bug has been assigned a CVE
On 01/03/2015 03:19 PM, cve-assign <at> mitre.org wrote:
>
> On Mon, 29 Dec 2014, Moritz Mühlenhoff wrote:
>
>> On Mon, Nov 24, 2014 at 06:47:24PM -0800, Seth Arnold wrote:
>>> Hello,
>>>
>>> Fiedler Roman discovered that coreutils' parse_datetime() function
>>> has some flaws that may be exploitable if the date(1), touch(1),
>>> or potentially other programs, accept untrusted input for certain
>>> parameters. While researching this issue, he discovered that it
>>> was independantly discovered by Bertrand Jacquin and reported at
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
>>>
>>> $ touch '--date=TZ="123"345" @1'
>>> Segmentation fault (core dumped)
>>> $ date '--date=TZ="123"345" @1'
>>> *** Error in `date': double free or corruption (out):
>>> 0x00007fffc9866c20 ***
>>> Aborted (core dumped)
>>> $
>>>
>>> The GNU bugtracker has this patch to fix the problem:
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
>>>
>>> and this patch to include the fix in coreutils and a small test case:
>>> http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872
>>>
>>>
>>> Can a CVE please be assigned for this issue.
>
> Use CVE-2014-9471.
>
> ---
>
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[signature.asc (application/pgp-signature, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 03 Feb 2015 12:24:04 GMT)
Full text and
rfc822 format available.
bug unarchived.
Request was from
Pádraig Brady <P <at> draigBrady.com>
to
control <at> debbugs.gnu.org.
(Tue, 04 Aug 2015 15:56:02 GMT)
Full text and
rfc822 format available.
Forcibly Merged 16872 21186.
Request was from
Pádraig Brady <P <at> draigBrady.com>
to
control <at> debbugs.gnu.org.
(Tue, 04 Aug 2015 15:56:02 GMT)
Full text and
rfc822 format available.
Added tag(s) fixed.
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Thu, 11 Oct 2018 22:16:06 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
16872 <at> debbugs.gnu.org and Mike Frysinger <vapier <at> gentoo.org>
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Thu, 11 Oct 2018 22:16:08 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 09 Nov 2018 12:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 183 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.