[security-announce] coreutils: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu Feb 26 10:15:56 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: coreutils 8.22
Severity: Low
Issue date: 2015-02-26
CVE Name: CVE-2014-9471
=========================================================
A security patch that fixes a  memory corruption flaw in
parse_datetime() is now available at http://linux.enea.com/4.0/patches:

README file: 0047-coreutils-parse-datetime-CVE-2014-9471.patch
Patch file: 0047-coreutils-parse-datetime-CVE-2014-9471.patch

Description
===========
The parse_datetime function in GNU coreutils allows remote attackers
to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted date string, as demonstrated by the
"--date=TZ="123"345" @1" string to the touch or date command.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9471
http://seclists.org/oss-sec/2014/q4/782
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
wget
http://linux.enea.com/4.0/patches/0047-coreutils-parse-datetime-CVE-2014-9471.patch
patch -p1 < ./0047-coreutils-parse-datetime-CVE-2014-9471.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU7uRMAAoJEHc+9u9ocWoU/J4QAJocG379o4kpx93Oqhck1O1H
uY6q4Cdo60mNwPMW/BPR586mLgeWlzAmaoNIyjOL3GrSUFcLbxJgEEPzPneECLAQ
wHrOplHA60hG1xuMEE69bGCp+aEjIqq2xUwayoNPlTUjrNFd1yuR0TXPxlGBySpK
nQvPT9zU3VXjQhX4PvExx3TUg9bc5PMXRwR4CpYh5H4wQ2f2fv231X6JjboIp5G2
qpt2Ec08+3SNN2l8MDvKpmSXB00+BbySCxLhgG+KXRr5d7ou1d1AiGB3k46YYcVt
laVfXhNsqHM0gR2t14nieMbV2xCPI8072ZIj4nFLW8nJ8bbEq73Q7pOKbjD0A9zJ
3tFOlrfV89BAK7fYpmi7l0ONCio6jurm/I/lFuIbrDEd8lIhgoNHUylvgupXMbc0
pw2N3gGmSAJQudj6gPGnfq441vnyeB6EEK3NltK8I//FtirU4AQ9qOatgV/tbm6B
oVBr6mDsdaCLR1IsRYBUD3AwXlnFc0tNR8YGbQq44XzvU/KtOjcbPRak4qba6mOI
A9siQewMdX5md/Opq0X7vVBVj0AomcE4srmfruIzT0eN1NDy4zmWEB9+b6zwBczX
faE8MTchbgkHVoXPvmxoAGaklCBPFTvsrJ/7AsCoj29o+FU1oftzZE7tzI2X9/Ja
6fa91+3/EPHzPNqeIpsO
=Jmn/
-----END PGP SIGNATURE-----



More information about the security-announce mailing list