Paul Eggert <eggert@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Paul Eggert <eggert@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 79705) by debbugs.gnu.org; 27 Oct 2025 05:59:04 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 27 01:59:04 2025 Received: from localhost ([127.0.0.1]:47559 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1vDGFz-0004Lp-Ra for submit <at> debbugs.gnu.org; Mon, 27 Oct 2025 01:59:04 -0400 Received: from mail.cs.ucla.edu ([131.179.128.66]:50304) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <eggert@HIDDEN>) id 1vDGFw-0004L0-FQ for 79705 <at> debbugs.gnu.org; Mon, 27 Oct 2025 01:59:01 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id BB6943C010841; Sun, 26 Oct 2025 22:58:53 -0700 (PDT) Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP id WclGGrG6VpMC; Sun, 26 Oct 2025 22:58:53 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id 92A983C010848; Sun, 26 Oct 2025 22:58:53 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 92A983C010848 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1761544733; bh=Ip1JO9D9q38ThIPX2drRepU+5pqX0PBX/fFxaGzrqFc=; h=Message-ID:Date:MIME-Version:To:From; b=pfhG5+ZY572y6iozfjLnVFkvaBaNUYBZmXTWsi+k48CooVJtSHoyyXu3jjUTASO6N Uog1EZ+2w/mk31/m75wjTeRIvClGZE2GsCxlT5yYk12RxtbV6Tj6Y1PWot+dUncrZr fL7f4EP6r3/DcwIDuQwj04s5AMAw7zTb83OwfHrEQo2cI7SLZvx/36WkVQvJLh2j5Z 1t4HvNHUi0z4LAHksFaRQ9p7io8ERpZJmvZt2FVqv4UdQPqK0strYQT2lGu4pJqEBi 6ljES18u78ILmR0oLddas/FuAOQyRzEp66sFBl+CYsTGbPamObs6CxADIkJrYTXx6P 4TpzB8I2ggMZA== X-Virus-Scanned: amavis at mail.cs.ucla.edu Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP id b801V_KrRUik; Sun, 26 Oct 2025 22:58:53 -0700 (PDT) Received: from penguin.cs.ucla.edu (47-154-25-30.fdr01.snmn.ca.ip.frontiernet.net [47.154.25.30]) by mail.cs.ucla.edu (Postfix) with ESMTPSA id 7020C3C010841; Sun, 26 Oct 2025 22:58:53 -0700 (PDT) Message-ID: <125b302a-326a-4605-b6c0-7f076be43c3d@HIDDEN> Date: Sun, 26 Oct 2025 22:58:52 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#79705: denial of service bug in date(1) To: Jeff Epler <jepler@HIDDEN> References: <27152505-a269-426c-92f5-5a021c4ed939@HIDDEN> Content-Language: en-US From: Paul Eggert <eggert@HIDDEN> Organization: UCLA Computer Science Department In-Reply-To: <27152505-a269-426c-92f5-5a021c4ed939@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 79705 Cc: 79705 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 2025-10-26 15:07, Jeff Epler wrote: > It is possible to specify a date format string that will produce truly unreasonable amounts of output: Whatever limit 'date' would impose, there'd be someone wanting to go over that limit. We won't impose an arbitrary limit like 255 for that reason. This is specified by the GNU Coding Standards[1]. PS. It's not a denial of service bug. One should not let an adversary specify an arbitrary 'date' format. Similarly, Python does not have a denial of service bug merely because a naive developer could let an adversary specify an arbitrary Python program. [1]: https://www.gnu.org/prep/standards/html_node/Semantics.html
bug-coreutils@HIDDEN:bug#79705; Package coreutils.
Full text available.
Received: (at submit) by debbugs.gnu.org; 27 Oct 2025 05:17:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 27 01:17:18 2025
Received: from localhost ([127.0.0.1]:47478 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1vDFbU-00026S-VM
for submit <at> debbugs.gnu.org; Mon, 27 Oct 2025 01:17:18 -0400
Received: from lists.gnu.org ([2001:470:142::17]:36496)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <jepler@HIDDEN>)
id 1vD8th-0002DJ-1B
for submit <at> debbugs.gnu.org; Sun, 26 Oct 2025 18:07:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <jepler@HIDDEN>)
id 1vD8tb-0008Cn-0g
for bug-coreutils@HIDDEN; Sun, 26 Oct 2025 18:07:27 -0400
Received: from fhigh-a8-smtp.messagingengine.com ([103.168.172.159])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <jepler@HIDDEN>)
id 1vD8tZ-0003K1-5S
for bug-coreutils@HIDDEN; Sun, 26 Oct 2025 18:07:26 -0400
Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46])
by mailfhigh.phl.internal (Postfix) with ESMTP id D6042140025A
for <bug-coreutils@HIDDEN>; Sun, 26 Oct 2025 18:07:22 -0400 (EDT)
Received: from phl-imap-18 ([10.202.2.89])
by phl-compute-06.internal (MEProxy); Sun, 26 Oct 2025 18:07:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unpythonic.net;
h=cc:content-transfer-encoding:content-type:content-type:date
:date:from:from:in-reply-to:message-id:mime-version:reply-to
:subject:subject:to:to; s=fm2; t=1761516442; x=1761602842; bh=Tz
0Hw1QvlX+l5pHNJn2Fu6jbWXPG1JUqWkkGdIJoG6M=; b=VSn/uOYNn9phxJYkQN
Kj2R3rbgF1xZ7pXl2ns18yXZttxpysXzS/+osDIRAgLPJcthUBqu4Hhmzqdu7Xia
5G82BNFp1xK+q0uhMN/BfjmFhb+tr0l/oDDP3Lrc5CcNyykygd9/4E/hE2e+nLwA
qntwcMBJfX3ZS/L9h35qXfRCUhMYlTs86+lgiwCR6mZhXNyQTTHd7MqXfx+z+SJp
vyh4OEnR640JbP6vUyXePEi1M02+kMIsIzgZ8W5I5s3w0xp5pMbUZbhoT0Fwctnz
Ow/MLYMPsHjzKx9uR7v524ZZQxlgxWsHTUCaFwWnWN8JjrFai6Hzt8ISYqkOzeRx
ankg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-transfer-encoding:content-type
:content-type:date:date:feedback-id:feedback-id:from:from
:in-reply-to:message-id:mime-version:reply-to:subject:subject:to
:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
1761516442; x=1761602842; bh=Tz0Hw1QvlX+l5pHNJn2Fu6jbWXPG1JUqWkk
GdIJoG6M=; b=taiKEgrfjOD2otBZvyAgCqG1fIrMox+zrrEDeW9aXJ1/+ZzG+md
RZsmq1E7prC/7hUpufLZOMX5OEL4sTzdNoyaa+ZuyJ1Jb1G6790SnW6JBr2B6utU
0HrTptvXa1sOxJvUYhB94ZLUfLtBIn6NIOKbG4KeEiQPLS5Alr2SnYd97YW60xe/
Uwqk2QExFeXAT5tVOHLGTbwlRq9eO8F/aMdzS4/OZodqsZz5quRAqc8PJitbm+xb
2/XN5en4qJnn4HrAVMlIkgmVjIDDgZoP8HUDh703JDUNUdeBq9ARDvLl+t+LXUlQ
GVjxJsGX4QHc8h9Mt5p6q7+UFQiFcdgdY8w==
X-ME-Sender: <xms:mpv-aG2Q2u6Pgu9l-Vs2wz5cT7BOlphSO0-P0dV9ZXehEiZBIYU4lA>
<xme:mpv-aD5A3Jbu1gu8j10NnWYzW_Sc9piO4NlAiH9roltEOZwwMXwLTnd-Lh4bbcYjW
f1KPr7Yc9TJz8h4MvhX-sDM9hCz_JiO5gIELD9gX0YjFOZB1Fmjtfw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduheeivdegucetufdoteggodetrf
dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkffutgfgsehtjeertdertd
dtnecuhfhrohhmpedflfgvfhhfucfgphhlvghrfdcuoehjvghplhgvrhesuhhnphihthhh
ohhnihgtrdhnvghtqeenucggtffrrghtthgvrhhnpeduieefledvheegtdfghfeggfehle
ehteetfeduuefhjefhudetiedufeeffffhhfenucevlhhushhtvghrufhiiigvpedtnecu
rfgrrhgrmhepmhgrihhlfhhrohhmpehjvghplhgvrhesuhhnphihthhhohhnihgtrdhnvg
htpdhnsggprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegs
uhhgqdgtohhrvghuthhilhhssehgnhhurdhorhhg
X-ME-Proxy: <xmx:mpv-aCYc_wiRrrj387zomqtIFAZhauWN6EXB5gNB34HccCmGnC2Cng>
<xmx:mpv-aMU0kZUWEAROY2RHtJceqjg_zIC_PGhaZauGNvYYijY0tdJTFg>
<xmx:mpv-aCnh-huGQvvHm-al7B5p2pErZZWTm6JpseNZRxND5GhZC7eapA>
<xmx:mpv-aJw1Xtiq43wTXjh-1ND80NjFPIkLsIm6xJaFN1PrdGTXBspnpQ>
<xmx:mpv-aJxNWu4tnVV13_fQnlI4RSW-QmqhRE1fuwWMhi8Hzmtn2qBurDnh>
Feedback-ID: iefb6480d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
id 8350715C0053; Sun, 26 Oct 2025 18:07:22 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
Date: Sun, 26 Oct 2025 17:07:02 -0500
From: "Jeff Epler" <jepler@HIDDEN>
To: bug-coreutils@HIDDEN
Message-Id: <27152505-a269-426c-92f5-5a021c4ed939@HIDDEN>
Subject: denial of service bug in date(1)
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=103.168.172.159;
envelope-from=jepler@HIDDEN; helo=fhigh-a8-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.01,
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Mon, 27 Oct 2025 01:17:10 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)
It is possible to specify a date format string that will produce truly unreasonable amounts of output:
$ date +`python -c 'print("%2147483648c" * 10000)'`
(the format string here is 10,000 repetitions of "%2147483648c"). This will produce around 20,000GiB of output (20TiB). On my system, producing 10 repetitions takes 33 seconds, so the full 10,000 would take about 9 hours. A repetition factor of 11000 did not work on my system due to the operating system limitation on the total size of arguments.
I noticed that another implementation of time (uutils) caps the field width of any given "resource specifier" at 255 characters, meaning that the biggest length of output is probably under 10MiB (but still a non trivial amount of output)
Jeff
"Jeff Epler" <jepler@HIDDEN>:bug-coreutils@HIDDEN.
Full text available.bug-coreutils@HIDDEN:bug#79705; Package coreutils.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.