From: Pádraig Brady <P@draigBrady.com>
Date: Thu, 27 Apr 2017 03:51:39 +0000 (-0700)
Subject: date,touch: test and document large TZ security issue
X-Git-Tag: v8.28~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9287ef2b1707e2a222f8ae776ce3785abcb16fba;p=thirdparty%2Fcoreutils.git

date,touch: test and document large TZ security issue

Add a test for CVE-2017-7476 which was fixed in gnulib at:
http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94e01571

* tests/misc/date-tz.sh: Add a new test which overwrites enough
of the heap to trigger a segfault, even without ASAN enabled.
* tests/local.mk: Reference the new test.
* NEWS: Mention the bug fix.
---

diff --git a/NEWS b/NEWS
index 72981b6015..b4614d56ac 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,10 @@ GNU coreutils NEWS                                    -*- outline -*-
 
 ** Bug fixes
 
+  date and touch no longer overwrite the heap with large
+  user specified TZ values (CVE-2017-7476).
+  [bug introduced in coreutils-8.27]
+
   dd status=progress now just counts seconds; e.g., it outputs "6 s"
   consistently rather than sometimes outputting "6.00001 s".
   [bug introduced in coreutils-8.24]
diff --git a/tests/local.mk b/tests/local.mk
index e890c9afeb..fdf3edfb22 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -283,6 +283,7 @@ all_tests =					\
   tests/misc/csplit-suppress-matched.pl		\
   tests/misc/date-debug.sh			\
   tests/misc/date-sec.sh			\
+  tests/misc/date-tz.sh				\
   tests/misc/dircolors.pl			\
   tests/misc/dirname.pl				\
   tests/misc/env-null.sh			\
diff --git a/tests/misc/date-tz.sh b/tests/misc/date-tz.sh
new file mode 100755
index 0000000000..3fe1579e28
--- /dev/null
+++ b/tests/misc/date-tz.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Verify TZ processing.
+
+# Copyright (C) 2017 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ date
+
+# coreutils-8.27 would overwrite the heap with large TZ values
+tz_long=$(printf '%2000s' | tr ' ' a)
+date -d "TZ=\"${tz_long}0\" 2017" || fail=1
+
+Exit $fail