[Whonix-devel] GNU `date` security?
Patrick Schleizer
adrelanos at riseup.net
Mon Oct 20 02:12:45 CEST 2014
Hi David,
I saw name in in the coreutils package in the date.c source file.
We are using
date --date="Sun, 19 Oct 2014 23:57:46 GMT" +"%s"
to convert a long date string to unixtime. The long date string is
untrusted here.
[It has been extracted from http headers (curl --head [...]
some.domain). As part of sdwdate [1].]
Let's assume `date` is not given "Sun, 19 Oct 2014 23:57:46 GMT" but
rather a specifically crafted malicious string.
How resistant would GNU `date` be? How confident are you that the parser
/ conversion has no bug that could be exploited that leads to code
execution?
Do you think we'd be security wise better off if we used python to do
the conversion?
from dateutil.parser import parse
parse('Tue, 26 May 2009 19:58:20 -0500').strftime('%s')
# returns '1243364300'
Cheers,
Patrick
[1] https://github.com/Whonix/sdwdate
[2] http://stackoverflow.com/a/3894047/2605155
More information about the Whonix-devel
mailing list