[security-announce] coreutils: Security update

Sona Sarmadi sona.sarmadi at enea.com
Wed Mar 11 07:45:29 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: coreutils 8.22
Severity: Low
CVE Name: CVE-2014-9471
=========================================================
A security patch that fixes a  memory corruption flaw in coreutils
parse_datetime() is now available at
http://linux.enea.com/5.0-beta-m400/patches:


README file: 0007-coreutils-Fix-CVE-2014-9471.README
Patch file: 0007-coreutils-Fix-CVE-2014-9471.patch

Description
===========
The parse_datetime function in GNU coreutils allows remote attackers
to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted date string, as demonstrated by the
"--date=TZ="123"345" @1" string to the touch or date command.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9471

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0007-coreutils-Fix-CVE-2014-9471.patch
patch -p1 < ./0007-coreutils-Fix-CVE-2014-9471.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU/+SIAAoJEHc+9u9ocWoUX0AQAJmOrjo2F6awG+a56ryPLCWS
KjLVajw0PRjM3xzgGF+/mGYAUwYxYc457dzhuq8FbcEQqRRaG9X78vFDI6/4jV/z
nbevKc2M8s/2Z7eNsv/IezT4ptYGKk/2fl+ZONUVgNd/JZ6jSVftP2PUan7QiiWe
8wcqLnSJXV3TTEpYb7vKMvj+B5uBLctqwAIwhBGWQScn5xEM0KkIsKpgtwaY/KNQ
7nt+xtV4+yxsTtosp6p/6bFOhiL9Zz4Aktx6Ir+/7jsV5lSvq9eNPvQLYfKfAdU6
4GcFzjYy2GtdchPzsanfOAjfHbfhx6p1BPxC/A2VQSEwsIHXtZnpbNQT4zEpQqxb
B9h24e8wAvH4qLC2txvf0CN7IXsiQzA1PYK6/OCL79100rB1BVnFLzlYy2bQUbmC
ftyVV1Dt9hakhD7ryxBpBdeWY5BAsGNjQiRDOZTZ5xlD22FZaLl1d9cPLD4c5JMJ
GenwXJUZoKfjcI1Im7ogcig8XO5B6OZrZyUQsaspAgDOEmIjCd+NmGTXfFpcQgEd
O9v3zVRkIa3Vj+uG+PrN/I+iJ+hMeL5xJC+dbfGSspyKaEG7suD+GRm0dbN/0hHu
1uPbe7AYLmIZTIHb0MTyl1RJT6ebNMAdeHSSH+Wfgxz6VL/lAIqif1c/kubQ1OBo
s59ZDt8lOOUswKM5BOMk
=SLFW
-----END PGP SIGNATURE-----



More information about the security-announce mailing list