Bug 1445185 (CVE-2017-7476)

Summary: CVE-2017-7476 gnulib: Out-of-bounds write by setting a large TZ variable
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: admiller, jamartis, kdudka, kzak, ooprala, ovasik, p, security-response-team, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20170427,reported=20170424,source=researcher,cvss3=7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-787,fedora-all/coreutils=notaffected,rhel-5/coreutils=notaffected,rhel-6/coreutils=notaffected,rhel-7/coreutils=notaffected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-02 19:35:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1444774    
Bug Blocks: 1445186    

Description Andrej Nemec 2017-04-25 08:29:13 UTC
An out-of-bounds heap write vulnerability was found in date. Maliciously crafted TZ variable could be used to run arbitrary code as the user running date.

Comment 1 Andrej Nemec 2017-04-25 08:33:14 UTC
Acknowledgments:

Name: Pádraig Brady

Comment 2 Kamil Dudka 2017-04-27 08:09:24 UTC
As the fix is already pushed to public git repositories, could the embargo be canceled and the corresponding bugs made public?

Thanks in advance!

Comment 3 Andrej Nemec 2017-04-27 08:25:18 UTC
Upstream patch:

http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94e01571

Comment 4 Tomas Hoger 2017-04-27 08:29:21 UTC
This really is a gnulib issue, and gnulib is embedded in coreutils.