Bug 1037124 - VUL-0: CVE-2017-7476: coreutils: gnulib: Out-of-bounds write by setting a large TZ variable
VUL-0: CVE-2017-7476: coreutils: gnulib: Out-of-bounds write by setting a lar...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/184455/
CVSSv2:SUSE:CVE-2017-7476:4.4:(AV:L/...
:
Depends on:
Blocks: CVE-2017-7476
  Show dependency treegraph
 
Reported: 2017-05-02 08:37 UTC by Marcus Meissner
Modified: 2017-05-09 12:07 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-05-02 08:37:28 UTC
This bug is about the gnulib embedded in the coreutils package.


+++ This bug was initially created as a clone of Bug #1036636 +++

rh#1445185

An out-of-bounds heap write vulnerability was found in date. Maliciously crafted TZ variable could be used to run arbitrary code as the user running date.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1445185
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7476
Comment 1 Marcus Meissner 2017-05-02 09:17:42 UTC
QA REPRODUCER:

   date -d $(printf 'TZ="aaa%020daaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab%089d"')


should not crash
Comment 2 Marcus Meissner 2017-05-02 09:18:24 UTC
on 20170502 Factory there is a clear crash.

Leap 42.2 shows no overflow with coreutils-8.25
Comment 3 Marcus Meissner 2017-05-02 09:43:05 UTC
(so only factory fix needed)
Comment 4 Bernhard Voelker 2017-05-02 12:13:20 UTC
Upstream gnulib fix:
  http://git.sv.gnu.org/cgit/gnulib.git/commit/?id=94e015715078

Upstream pickup of above gnulib in coreutils:
  http://git.sv.gnu.org/cgit/coreutils.git/commit/?id=5d4be52a982e

Upstream coreutils test:
  http://git.sv.gnu.org/cgit/coreutils.git/commit/?id=9287ef2b1707
Comment 5 Bernhard Voelker 2017-05-02 21:44:19 UTC
I'm currently testing the fix in
https://build.opensuse.org/package/show/home:berny:branches:Base:System/coreutils
Comment 6 Bernhard Voelker 2017-05-03 16:48:32 UTC
The fix is on its way from Base:System to oS:Factory:
https://build.opensuse.org/request/show/492649
Comment 7 Philipp Thomas 2017-05-09 12:07:30 UTC
Package submitted, reassigning to security team for further processing