[Whonix-devel] GNU `date` security?
adrelanos at riseup.net
Mon Oct 20 02:12:45 CEST 2014
I saw name in in the coreutils package in the date.c source file.
We are using
date --date="Sun, 19 Oct 2014 23:57:46 GMT" +"%s"
to convert a long date string to unixtime. The long date string is
[It has been extracted from http headers (curl --head [...]
some.domain). As part of sdwdate .]
Let's assume `date` is not given "Sun, 19 Oct 2014 23:57:46 GMT" but
rather a specifically crafted malicious string.
How resistant would GNU `date` be? How confident are you that the parser
/ conversion has no bug that could be exploited that leads to code
Do you think we'd be security wise better off if we used python to do
from dateutil.parser import parse
parse('Tue, 26 May 2009 19:58:20 -0500').strftime('%s')
# returns '1243364300'
More information about the Whonix-devel