This issue has been assigned CVE-2017-7476 and was
detected with American Fuzzy Lop 2.41b run on the
coreutils date(1) program with ASAN enabled.
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x...
WRITE of size 8 at 0x60d00000cff8 thread T0
#1 0x443020 in extend_abbrs lib/time_rz.c:88
#2 0x443356 in save_abbr lib/time_rz.c:155
#3 0x44393f in localtime_rz lib/time_rz.c:290
#4 0x41e4fe in parse_datetime2 lib/parse-datetime.y:1798
A minimized reproducer is the following 120 byte TZ value,
which goes beyond the value of ABBR_SIZE_MIN (119) on x86_64.
Extend the aa...b portion to overwrite more of the heap.
date -d $(printf 'TZ="aaa%020daaaaaab%089d"')
localtime_rz and mktime_z were affected since commit 4bc76593.
parse_datetime was affected since commit 4e6e16b3f.
* lib/time_rz.c (save_abbr): Rearrange the calculation determining
whether there is enough buffer space available. The rearrangement
ensures we're only dealing with positive numbers, thus avoiding
the problematic promotion of signed to unsigned causing an invalid
comparison when zone_copy is more than ABBR_SIZE_MIN bytes beyond
the start of the buffer.
* tests/test-parse-datetime.c (main): Add a test case written by
Paul Eggert, which overwrites enough of the heap so that
standard glibc will fail with "free(): invalid pointer"
without the patch applied.
Reported and analyzed at https://bugzilla.redhat.com/1444774
* build-aux/gendocs.sh (version):
* doc/gendocs_template:
* doc/gendocs_template_min:
* doc/gnulib.texi:
* lib/version-etc.c (COPYRIGHT_YEAR):
Update copyright dates by hand in templates and the like.
* all files: Run 'make update-copyright'.
* build-aux/gendocs.sh (version):
* doc/gendocs_template:
* doc/gendocs_template_min:
* doc/gnulib.texi:
* lib/version-etc.c (COPYRIGHT_YEAR):
Update copyright dates by hand in templates and the like.
* all files: Run 'make update-copyright'.
This was reported in http://bugs.gnu.org/16872
from the coreutils command: date -d 'TZ="""'
The infinite loop for this case was present since the
initial TZ="" parsing support in commit de95bdc2 29-10-2004.
This was changed to a crash or heap corruption depending
on the platform with commit 2e3e4195 18-01-2010.
* lib/parse-datetime.y (parse_datetime): Break out of the
TZ="" parsing loop once the second significant " is found.
Also skip over any subsequent whitespace to be consistent
with the non TZ= case.
* tests/test-parse-datetime.c: Add test cases for TZ="" parsing.
date -d "$(printf '\xb0')" would print 00:00:00 with today's date
rather than diagnosing the invalid input. Now it reports this:
date: invalid date '\260'
* lib/parse-datetime.y (to_uchar): Define.
(yylex): Don't sign-extend "other" bytes.
* m4/parse-datetime.m4: Require AC_C_INLINE for first use of "inline".
Thanks to Bruno Haible for the patch to this file.
* tests/test-parse-datetime.c (main): Add a test to trigger the bug.
Peter Evans reported the bug in GNU date: http://bugs.gnu.org/11843
* tests/test-parse-datetime.c (gmt_offset): Determine the "gmt_offset"
based on the time/date we'll convert, not the current time.
Otherwise, the moment we cross a DST boundary like today's in
Europe, (CEST to CET), that offset ends up being one hour off.
* tests/test-parse-datetime.c (gmt_offset): Declare function "static",
to avoid a warning from gcc's -Werror=missing-declarations.
Insert a few spaces-before-funcall-parenthesis.
The parser now accepts ISO 8601 date-time strings with "T" as the
separator. It has long parsed dates like "2004-02-29 16:21:42"
with a space between the date and time strings. Now it also parses
"2004-02-29T16:21:42" and fractional-second and time-zone-annotated
variants like "2004-02-29T16:21:42.333-07:00"
* lib/parse-datetime.y: Parse ISO 8601 extended date and time
of day representation using the 'T' separator character.
* doc/parse-datetime.texi (General date syntax): replace use of
deprecated --iso-8601 option with --rfc-3339 in example of date
command output formats that can be parsed.
* tests/test-parse-datetime.c (tm_diff): New function, taken from
lib/parse-datetime.y.
(gmt_offset): New function.
(main): Add additional test cases to validate ISO8601 extended
date and time of day format parsing.
