Bug 1036636 - (CVE-2017-7476) VUL-0: CVE-2017-7476: gnulib: Out-of-bounds write by setting a large TZ variable
(CVE-2017-7476)
VUL-0: CVE-2017-7476: gnulib: Out-of-bounds write by setting a large TZ variable
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/184455/
CVSSv2:SUSE:CVE-2017-7476:4.4:(AV:L/...
:
Depends on: 1037124 1037125 1037142
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-27 15:52 UTC by Marcus Meissner
Modified: 2022-09-16 13:42 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-04-27 15:52:16 UTC
rh#1445185

An out-of-bounds heap write vulnerability was found in date. Maliciously crafted TZ variable could be used to run arbitrary code as the user running date.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1445185
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7476
Comment 1 Marcus Meissner 2017-04-27 15:55:19 UTC
The gnulib is embedded in various tools. :(
Comment 3 Marcus Meissner 2017-04-28 15:13:21 UTC
17:06 < tacit> _Marcus_: emacs, scat, gnutls, coreutils, guile
17:07 < tacit> _Marcus_: clisp, dotfiles, findutils, diffutils, codestash,
Comment 4 Marcus Meissner 2017-05-02 08:35:24 UTC
16:38 <vpereira> SUSE:SLE-12-SP2:GA/coreutils/coreutils-8.25.tar.xz.contents/coreutils-8.25/lib/time_rz.c
16:38 <vpereira> SUSE:SLE-12-SP3:GA/lftp/lftp-4.7.4.tar.xz.contents/lftp-4.7.4/lib/time_rz.c
Comment 5 Marcus Meissner 2017-05-02 09:45:02 UTC
parse-datetime is affected only since Jan 21 2017 as it was ported to *time_rz then

author	Paul Eggert <eggert@cs.ucla.edu>	
	Sat, 21 Jan 2017 03:11:55 +0200 (17:11 -0800)



time_rz and mktime_rz affected since 	Fri, 24 Jul 2015
Comment 6 Marcus Meissner 2017-05-02 09:48:31 UTC
findutils in factory: gnulib is from 2011 -> not affected.
Comment 7 Marcus Meissner 2017-05-02 09:57:53 UTC
gnutls - certtool-cfg uses parse_datetime, but even 3.5.9 is using an older version of gnulib from around 2015. -> not affected
Comment 8 Marcus Meissner 2017-05-02 10:00:38 UTC
guile - does not call *time_rz , does not have parse_datetime
Comment 9 Marcus Meissner 2017-05-02 11:28:26 UTC
clisp - very old gnulib (from around 2011) - not affected
Comment 10 Marcus Meissner 2017-05-02 11:33:48 UTC
dotfiles - not in opensuse/sle

scat? - not found
Comment 11 Marcus Meissner 2017-05-03 07:43:50 UTC
09:35 <vpereira> openSUSE:Factory/coreutils/coreutils-8.27.tar.xz.contents/coreutils-8.27/lib/time_rz.c
09:35 <vpereira> openSUSE:Factory/diffutils/diffutils-3.5.15.tar.xz.contents/diffutils-3.5.15/lib/time_rz.c
09:35 <vpereira> openSUSE:Factory/findutils/findutils-4.6.0.tar.gz.contents/findutils-4.6.0/gl/lib/time_rz.c
09:35 <vpereira> openSUSE:Factory/fontforge/fontforge-20161005-repacked.tar.gz.contents/fontforge-20161005/gnulib/lib/time_rz.c
09:35 <vpereira> openSUSE:Factory/gnutls/gnutls-3.5.9.tar.xz.contents/gnutls-3.5.9/src/gl/time_rz.c
09:35 <vpereira> openSUSE:Factory/guile/guile-2.0.14.tar.xz.contents/guile-2.0.14/lib/time_rz.c
09:35 <vpereira> openSUSE:Factory/tar/tar-1.29.tar.bz2.contents/tar-1.29/gnu/time_rz.c
09:35 <vpereira> openSUSE:Factory/lftp/lftp-4.7.4.tar.xz.contents/lftp-4.7.4/lib/time_rz.c
09:35 <vpereira> openSUSE:Factory/pspp/pspp-0.10.2.tar.gz.contents/pspp-0.10.2/gl/time_rz.c
09:36 <vpereira> openSUSE:Factory/emacs/emacs-25.2-rc2.tar.xz.contents/emacs-25.2/lib/time_rz.c
Comment 12 Marcus Meissner 2017-05-03 11:36:00 UTC
tar in factory ... has the buggy time_rz, not the buggy parse_dateime ... calls only parse_datetime.  -> not affected.
Comment 13 Marcus Meissner 2017-05-03 11:43:46 UTC
pspp in factory ... has the buggy time_rz, not the buggy parse_datetime ... time_rz not used.
Comment 14 Marcus Meissner 2017-05-03 11:45:32 UTC
fontforge in factory ... buggy time_rz, not the buggy parse_datetime.  Neither are used.
Comment 15 Marcus Meissner 2017-05-03 11:48:17 UTC
so to summarize:

- emacs was affected, but only in openSUSE Factory. Update is on its way.
- coreutils was affected, but only in openSUSE Factory. Maintainer is working on it.


All other packages containing time_rz apparently do not use it.

No packages on SUSE Linux Enterprise and openSUSE Leap are affected.
Comment 16 Carlos López 2022-09-16 13:42:57 UTC
Done, closing.