[Whonix-devel] GNU `date` security?

Patrick Schleizer adrelanos at riseup.net
Mon Oct 20 02:12:45 CEST 2014

Hi David,

I saw name in in the coreutils package in the date.c source file.

We are using

    date --date="Sun, 19 Oct 2014 23:57:46 GMT" +"%s"

to convert a long date string to unixtime. The long date string is
untrusted here.

[It has been extracted from http headers (curl --head [...]
some.domain). As part of sdwdate [1].]

Let's assume `date` is not given "Sun, 19 Oct 2014 23:57:46 GMT" but
rather a specifically crafted malicious string.

How resistant would GNU `date` be? How confident are you that the parser
/ conversion has no bug that could be exploited that leads to code

Do you think we'd be security wise better off if we used python to do
the conversion?

    from dateutil.parser import parse
    parse('Tue, 26 May 2009 19:58:20 -0500').strftime('%s')
    # returns '1243364300'


[1] https://github.com/Whonix/sdwdate
[2] http://stackoverflow.com/a/3894047/2605155

More information about the Whonix-devel mailing list