This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] tzset robustness [BZ#17715]

On 01/15/2015 02:39 PM, Rich Felker wrote:
On Wed, Jan 14, 2015 at 11:11:42PM +0100, Florian Weimer wrote:
This patch removes two different unbounded alloca calls, and also
fixes the TZ parser issue identified here:

This is not my preferred approach.  I would rather like to sanitize
TZ in AT_SECURE mode, so that specifying a file from a non-default
TZDIR does not work.  However, this alternative approach is a bit
involved because the current setup code is not fit to handle
content-dependent environment variable scrubbing.

Doing the scrubbing in the dynamic linker does not seem appropriate
anyway. It wouldn't solve the problem for static-linked binaries and

I have working scrubbing for statically linked binaries, I think.

it would wrongly remove environment entries rather than just ignoring
them. Instead, tzset should be doing its own path enforcement based on
the presence of getauxval(AT_SECURE) or similar (e.g. the proposed
issetugid function).

We already do that, but we aren't consistent about it: We scrub TZDIR unconditionally (which is cleared in AT_SECURE mode), but we pass TZ variables containing absolute paths to subprocesses. The latter means that the TZDIR scrubbing isn't effective.

Florian Weimer / Red Hat Product Security

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]