This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [RFC][PATCH v4 06/11] Provide backward compatibility for strftime family (bug 10871).
10.11.2016 20:19 Andreas Schwab <schwab@linux-m68k.org> wrote:
>
>
> On Nov 10 2016, Rafal Luzynski <digitalfreak@lingonborough.com> wrote:
>
> > I was investigating these cases long ago and in Linux only,
> > sorry if I'm inaccurate and please tell me if an actual investigation
> > is needed again. I don't know if FreeBSD uses the same GNU coreutils
> > as Linux does but if it does then it's not a surprise if some bugs
> > are common.
>
> FreeBSD generally does not use GNU tools. Here is the source for date,
> for example:
>
> https://svnweb.freebsd.org/base/head/bin/date/
>
> Andreas.
Thank you for this link, Andreas. I took the opportunity to analyze the
problem more thoroughly.
1. date utility in FreeBSD actually calls strftime() directly which makes
it vulnerable to memory overflow if the format string is maliciously
long, an issue which has been fixed in glibc a while ago. That means
that whole implementation of date format is inside strftime().
The default format for a date is "%+" (not supported in glibc2)
which uses whatever is provided in locale data as date_fmt field.
2. In case of Catalan language, date_fmt and other formats had many
changes this year but the additional unnecessary "de" before the
month name has been added only in the last commit, on Aug 13, 2016.
It did not exist before. Florian, your FreeBSD says it's release 11.0
from Sep 29, 2016. All this looks like you have spotted a bug,
not present in the older releases and not yet fixed. I don't know
why this change has been introduced, the commit comment says
that the time data from CLDR are not good but does not explain where
the format containing the additional "de" comes from.
Catalan language has been added to FreeBSD only in October 2015.
While at this, it seems strange to me that it is listed as ca_IT
rather than ca_ES but I guess it does work anyway.
3. In case of cal utility I'm not sure if it's a core part of FreeBSD
because FreeBSD manuals say that ncal is its native cal implementation.
I'm not sure where cal comes from. If it comes from Linux or from
another non-BSD source then it may have the same problems I mentioned
before: it displays nl_langinfo(MON_1+x) which may return a month
name in a genitive form (or whatever is appropriate when printing
a month name in a full date context but not standalone), one of
those issues which will be introduced by my proposed change.
At the same time, ncal uses wcsprintf("%OB") - correctly!
4. Unfortunately, there seem to be no more Western European languages
supported in FreeBSD and featuring any difference between %B and %OB
months names.
Please note that whether we implement nominative (standalone) cases
as %OB/ALTMON_x and genitive (full date) as %B/MON_x or the other
way round it does not change the vulnerability to the incorrect
format strings. If the format string for Catalan (or any other
similar language) contains additional "de" while the month name
is already in its genitive form then whole format string becomes
incorrect no matter which implementation we choose.
Regards,
Rafal