[Whonix-devel] GNU `date` security?

• Previous message: [Whonix-devel] Whonix 9.3 Maintenance Release - Testers wanted!
• Next message: [Whonix-devel] Could Whonix replace Anonabox?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David,

I saw name in in the coreutils package in the date.c source file.

We are using

    date --date="Sun, 19 Oct 2014 23:57:46 GMT" +"%s"

to convert a long date string to unixtime. The long date string is
untrusted here.

[It has been extracted from http headers (curl --head [...]
some.domain). As part of sdwdate [1].]

Let's assume `date` is not given "Sun, 19 Oct 2014 23:57:46 GMT" but
rather a specifically crafted malicious string.

How resistant would GNU `date` be? How confident are you that the parser
/ conversion has no bug that could be exploited that leads to code
execution?

Do you think we'd be security wise better off if we used python to do
the conversion?

    from dateutil.parser import parse
    parse('Tue, 26 May 2009 19:58:20 -0500').strftime('%s')
    # returns '1243364300'

Cheers,
Patrick

[1] https://github.com/Whonix/sdwdate
[2] http://stackoverflow.com/a/3894047/2605155

• Previous message: [Whonix-devel] Whonix 9.3 Maintenance Release - Testers wanted!
• Next message: [Whonix-devel] Could Whonix replace Anonabox?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]