CVE-2014-9471

Published: 31 December 2014

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.

Priority

Status

Package	Release	Status
coreutils Launchpad, Ubuntu, Debian	lucid	Released (7.4-2ubuntu3.1)
	precise	Released (8.13-3ubuntu3.3)
	trusty	Released (8.21-1ubuntu5.1)
	upstream	Released (8.23-1)
	utopic	Not vulnerable (8.23-2ubuntu3)

References

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872
https://ubuntu.com/security/notices/USN-2473-1
https://www.cve.org/CVERecord?id=CVE-2014-9471
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.