This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/17715] Robustify TZ file parser and reduce attack surface
- From: "joseph at codesourcery dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 15 Dec 2014 19:11:56 +0000
- Subject: [Bug libc/17715] Robustify TZ file parser and reduce attack surface
- Auto-submitted: auto-generated
- References: <bug-17715-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
The code is not supposed to accept paths outside the default TZDIR at all
in secure mode:
/* We must not allow to read an arbitrary file in a setuid
program. So we fail for any file which is not in the
directory hierachy starting at TZDIR
and which is not the system wide default TZDEFAULT. */
if (__libc_enable_secure
&& ((*file == '/'
&& memcmp (file, TZDEFAULT, sizeof TZDEFAULT)
&& memcmp (file, default_tzdir, sizeof (default_tzdir) - 1))
|| strstr (file, "../") != NULL))
/* This test is certainly a bit too restrictive but it should
catch all critical cases. */
goto ret_free_transitions;
Is the security risk that someone might be able to provide a TZ string to
a program that (a) is running as another user (or on another system), but
(b) is not in __libc_enable_secure mode, and (c) where a file with
attacker-controlled problematic contents is readable by that user on that
system at a known path?
--
You are receiving this mail because:
You are on the CC list for the bug.