[pkgsrc/trunk]: pkgsrc/sysutils/coreutils Fix CVE-2014-9471 TZ parsing bug.

[tnn <tnn%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/905e19d45d5b
branches:  trunk
changeset: 649933:905e19d45d5b
user:      tnn <tnn%pkgsrc.org@localhost>
date:      Mon Apr 13 12:05:08 2015 +0000

description:
Fix CVE-2014-9471 TZ parsing bug.

diffstat:

 sysutils/coreutils/Makefile                           |   4 +-
 sysutils/coreutils/distinfo                           |   3 +-
 sysutils/coreutils/patches/patch-lib_parse-datetime.c |  32 +++++++++++++++++++
 3 files changed, 36 insertions(+), 3 deletions(-)

diffs (65 lines):

diff -r 3c2f01f1f67b -r 905e19d45d5b sysutils/coreutils/Makefile
--- a/sysutils/coreutils/Makefile       Mon Apr 13 11:33:51 2015 +0000
+++ b/sysutils/coreutils/Makefile       Mon Apr 13 12:05:08 2015 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.63 2014/05/29 23:37:27 wiz Exp $
+# $NetBSD: Makefile,v 1.64 2015/04/13 12:05:08 tnn Exp $
 
 .include "../../sysutils/coreutils/Makefile.common"
 
-PKGREVISION=           1
+PKGREVISION=           2
 CONFIGURE_ARGS+=       --without-gmp
 
 CONFLICTS=     fileutils-[0-9]* gnuls-[0-9]* linuxls-[0-9]* sh-utils-[0-9]* textutils-[0-9]*
diff -r 3c2f01f1f67b -r 905e19d45d5b sysutils/coreutils/distinfo
--- a/sysutils/coreutils/distinfo       Mon Apr 13 11:33:51 2015 +0000
+++ b/sysutils/coreutils/distinfo       Mon Apr 13 12:05:08 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2014/06/29 06:53:23 obache Exp $
+$NetBSD: distinfo,v 1.30 2015/04/13 12:05:08 tnn Exp $
 
 SHA1 (coreutils-8.22.tar.xz) = cc7fe47b21eb49dd2ee4cdb707570f42fb2c8cc6
 RMD160 (coreutils-8.22.tar.xz) = c3da7ade1d3ac82e97ac4a24c70376af8b9b503b
@@ -6,4 +6,5 @@
 SHA1 (patch-Makefile.in) = fce694c56777081a6a54d157dd0573945250f381
 SHA1 (patch-lib-fflush.c) = 106e9c7d05fff290f24cb69e1b2c80d0077c62bd
 SHA1 (patch-lib-fseeko.c) = 9f4b0294698648011c64869fc0e642f910e9d47f
+SHA1 (patch-lib_parse-datetime.c) = 9a2143f0d6e908c2b340a2520f2a280c5fb80e6d
 SHA1 (patch-lib_string.in.h) = 37167af962d1cfe9196d11e4250d9e9628d9eb73
diff -r 3c2f01f1f67b -r 905e19d45d5b sysutils/coreutils/patches/patch-lib_parse-datetime.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/coreutils/patches/patch-lib_parse-datetime.c     Mon Apr 13 12:05:08 2015 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-lib_parse-datetime.c,v 1.1 2015/04/13 12:05:08 tnn Exp $
+
+Fix CVE-2014-9471 TZ parsing bug.
+Via https://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
+
+Note that we patch the generated parser instead of the
+bison grammar to avoid adding bison dependency here.
+
+--- lib/parse-datetime.c.orig  2013-12-09 14:43:39.000000000 +0000
++++ lib/parse-datetime.c
+@@ -3207,8 +3207,6 @@ parse_datetime (struct timespec *result,
+             char tz1buf[TZBUFSIZE];
+             bool large_tz = TZBUFSIZE < tzsize;
+             bool setenv_ok;
+-            /* Free tz0, in case this is the 2nd or subsequent time through. */
+-            free (tz0);
+             tz0 = get_tz (tz0buf);
+             z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
+             for (s = tzbase; *s != '"'; s++)
+@@ -3220,7 +3218,12 @@ parse_datetime (struct timespec *result,
+             if (!setenv_ok)
+               goto fail;
+             tz_was_altered = true;
++
+             p = s + 1;
++            while (c = *p, c_isspace (c))
++              p++;
++
++            break;
+           }
+     }
+