date,touch: test and document large TZ security issue

Add a test for CVE-2017-7476 which was fixed in gnulib at: http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94e01571 * tests/misc/date-tz.sh: Add a new test which overwrites enough of the heap to trigger a segfault, even without ASAN enabled. * tests/local.mk: Reference the new test. * NEWS: Mention the bug fix.
2026-04-20 02:36:16 +02:00 · 2017-04-26 20:51:39 -07:00
parent 5d4be52a98
commit 9287ef2b17
3 changed files with 31 additions and 0 deletions
--- a/4
+++ b/4
@@ -4,6 +4,10 @@ GNU coreutils NEWS                                    -*- outline -*-

 ** Bug fixes

+  date and touch no longer overwrite the heap with large
+  user specified TZ values (CVE-2017-7476).
+  [bug introduced in coreutils-8.27]
+
  dd status=progress now just counts seconds; e.g., it outputs "6 s"
  consistently rather than sometimes outputting "6.00001 s".
  [bug introduced in coreutils-8.24]
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -283,6 +283,7 @@ all_tests =					\
  tests/misc/csplit-suppress-matched.pl		\
  tests/misc/date-debug.sh			\
  tests/misc/date-sec.sh			\
+  tests/misc/date-tz.sh				\
  tests/misc/dircolors.pl			\
  tests/misc/dirname.pl				\
  tests/misc/env-null.sh			\
--- a/tests/misc/date-tz.sh
+++ b/tests/misc/date-tz.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Verify TZ processing.
+
+# Copyright (C) 2017 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ date
+
+# coreutils-8.27 would overwrite the heap with large TZ values
+tz_long=$(printf '%2000s' | tr ' ' a)
+date -d "TZ=\"${tz_long}0\" 2017" || fail=1
+
+Exit $fail