The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the –date=TZ=123345 @1 string to the touch or date command.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Coreutils | Gnu | * | 8.23 (excluding) |