From 0b13fbf3f9b4419141445b381ffa9445af6e52ab Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Wed, 29 Apr 2015 11:02:20 +0200
Subject: coreutils: parse-datetime: CVE-2014-9471

Memory corruption flaw in parse_datetime()

Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9471

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../parse-datetime-CVE-2014-9471.patch             | 43 ++++++++++++++++++++++
 meta/recipes-core/coreutils/coreutils_8.22.bb      |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch

diff --git a/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch b/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch
new file mode 100644
index 0000000000..a094b8b54e
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch
@@ -0,0 +1,43 @@
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/ChangeLog b/ChangeLog
+--- a/ChangeLog	2013-12-13 16:20:00.000000000 +0100
++++ b/ChangeLog	2015-02-26 09:24:10.640577829 +0100
+@@ -1,3 +1,11 @@
++2014-02-25  Sona Sarmadi <sona.sarmadi@enea.com>
++
++       parse-datetime: fix crash or infloop in TZ="" parsing
++       * lib/parse-datetime.y (parse_datetime): Break out of the
++       TZ="" parsing loop once the second significant " is found.
++       Also skip over any subsequent whitespace to be consistent
++       with the non TZ= case (CVE-2014-9471)
++
+ 2013-12-13  Pádraig Brady  <P@draigBrady.com>
+ 
+ 	version 8.22
+diff -ruN a/lib/parse-datetime.y b/lib/parse-datetime.y
+--- a/lib/parse-datetime.y	2013-12-04 15:53:33.000000000 +0100
++++ b/lib/parse-datetime.y	2015-02-26 09:20:15.238528670 +0100
+@@ -1303,8 +1303,6 @@
+             char tz1buf[TZBUFSIZE];
+             bool large_tz = TZBUFSIZE < tzsize;
+             bool setenv_ok;
+-            /* Free tz0, in case this is the 2nd or subsequent time through. */
+-            free (tz0);
+             tz0 = get_tz (tz0buf);
+             z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
+             for (s = tzbase; *s != '"'; s++)
+@@ -1316,7 +1314,12 @@
+             if (!setenv_ok)
+               goto fail;
+             tz_was_altered = true;
++
+             p = s + 1;
++            while (c = *p, c_isspace (c))
++              p++;
++
++            break;
+           }
+     }
+ 
diff --git a/meta/recipes-core/coreutils/coreutils_8.22.bb b/meta/recipes-core/coreutils/coreutils_8.22.bb
index ba3a0a0228..9746683b64 100644
--- a/meta/recipes-core/coreutils/coreutils_8.22.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.22.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
            file://remove-usr-local-lib-from-m4.patch \
            file://dummy_help2man.patch \
            file://fix-for-dummy-man-usage.patch \
+           file://parse-datetime-CVE-2014-9471.patch \
           "
 
 SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"
-- 
cgit 1.2.3-korg