Bug 15050

Summary: coreutils new security issue CVE-2014-9471
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/629686/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: coreutils-8.21-6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-15 18:28:49 CET 
Ubuntu has issued an advisory on January 14:
http://www.ubuntu.com/usn/usn-2473-1/

More details in this thread:
http://openwall.com/lists/oss-security/2014/11/25/1

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated coreutils packages fix security vulnerability:

Bertrand Jacquin and Fiedler Roman discovered date and touch incorrectly
handled user-supplied input. An attacker could possibly use this to cause
a denial of service or potentially execute code (CVE-2014-9471).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9471
http://www.ubuntu.com/usn/usn-2473-1/
========================

Updated packages in core/updates_testing:
========================
coreutils-8.21-6.1.mga4
coreutils-doc-8.21-6.1.mga4

from coreutils-8.21-6.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-16 14:14:12 CET 
Testing complete Mageia 4 i586.

Before the update:

$ touch '--date=TZ="123"345" @1'
Segmentation fault
$ date '--date=TZ="123"345" @1'
*** Error in `date': free(): invalid pointer: 0xbfc11414 ***
======= Backtrace: =========
/lib/i686/libc.so.6(+0x6bb13)[0xb7615b13]
/lib/i686/libc.so.6(+0x73414)[0xb761d414]
date[0x804e227]
date[0x8049ba0]
/lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb75c3b33]
date[0x8049bd0]
======= Memory map: ========
08048000-08056000 r-xp 00000000 08:08 136391     /usr/bin/date
08057000-08058000 r--p 0000e000 08:08 136391     /usr/bin/date
08058000-08059000 rw-p 0000f000 08:08 136391     /usr/bin/date
0822e000-0824f000 rw-p 00000000 00:00 0          [heap]
b7207000-b7222000 r-xp 00000000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b7222000-b7223000 r--p 0001a000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b7223000-b7224000 rw-p 0001b000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b723a000-b73a9000 r--p 00497000 08:08 276082     /usr/share/locale/locale-archive
b73a9000-b75a9000 r--p 00000000 08:08 276082     /usr/share/locale/locale-archive
b75a9000-b75aa000 rw-p 00000000 00:00 0
b75aa000-b775c000 r-xp 00000000 08:08 133965     /usr/lib/i686/libc-2.18.so
b775c000-b775e000 r--p 001b2000 08:08 133965     /usr/lib/i686/libc-2.18.so
b775e000-b775f000 rw-p 001b4000 08:08 133965     /usr/lib/i686/libc-2.18.so
b775f000-b7762000 rw-p 00000000 00:00 0
b7776000-b7777000 rw-p 00000000 00:00 0
b7777000-b7778000 r--p 00a4b000 08:08 276082     /usr/share/locale/locale-archive
b7778000-b7779000 rw-p 00000000 00:00 0
b7779000-b777a000 r-xp 00000000 00:00 0          [vdso]
b777a000-b7798000 r-xp 00000000 08:08 137241     /usr/lib/ld-2.18.so
b7798000-b7799000 r--p 0001d000 08:08 137241     /usr/lib/ld-2.18.so
b7799000-b779a000 rw-p 0001e000 08:08 137241     /usr/lib/ld-2.18.so
bfbf1000-bfc13000 rw-p 00000000 00:00 0          [stack]
Aborted


After the update:

$ touch '--date=TZ="123"345" @1'
touch: invalid date format âTZ="123"345" @1â
$ date '--date=TZ="123"345" @1'
date: invalid date âTZ="123"345" @1â

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 2 olivier charles 2015-01-17 10:50:40 CET 
Testing on Mageia 4x64 real hardware

From current package :
--------------------
coreutils-8.21-6.mga4

$ touch '--date=TZ="123"345" @1'
*** Error in `touch': free(): invalid pointer: 0x00007fff3e2e4650 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x72fff)[0x7f48603d8fff]
(...)
7fff3e395000-7fff3e397000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Abandon

$ date '--date=TZ="123"345" @1'
gave same output

To updated testing package :
--------------------------
coreutils-8.21-6.1.mga4

$ touch '--date=TZ="123"345" @1'
touch: format de date « TZ="123"345" @1 » incorrect
$ date '--date=TZ="123"345" @1'
date: date incorrecte « TZ="123"345" @1 »

Used a dozen coreutils commands, found no regression.

CC: (none) => olchal
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 3 claire robinson 2015-01-19 13:02:32 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-01-19 17:48:11 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0029.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED