[Bug libc/17715] Robustify TZ file parser and reduce attack surface
joseph at codesourcery dot com
sourceware-bugzilla@sourceware.org
Mon Dec 15 19:12:00 GMT 2014
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
The code is not supposed to accept paths outside the default TZDIR at all
in secure mode:
/* We must not allow to read an arbitrary file in a setuid
program. So we fail for any file which is not in the
directory hierachy starting at TZDIR
and which is not the system wide default TZDEFAULT. */
if (__libc_enable_secure
&& ((*file == '/'
&& memcmp (file, TZDEFAULT, sizeof TZDEFAULT)
&& memcmp (file, default_tzdir, sizeof (default_tzdir) - 1))
|| strstr (file, "../") != NULL))
/* This test is certainly a bit too restrictive but it should
catch all critical cases. */
goto ret_free_transitions;
Is the security risk that someone might be able to provide a TZ string to
a program that (a) is running as another user (or on another system), but
(b) is not in __libc_enable_secure mode, and (c) where a file with
attacker-controlled problematic contents is readable by that user on that
system at a known path?
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Glibc-bugs
mailing list