This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] tzset robustness [BZ#17715]

On Tue, Jan 20, 2015 at 02:18:01PM +0100, Florian Weimer wrote:
> On 01/16/2015 09:27 PM, Carlos O'Donell wrote:
> >>> We already do that, but we aren't consistent about it: We scrub
> >>> TZDIR unconditionally (which is cleared in AT_SECURE mode), but we
> >>> pass TZ variables containing absolute paths to subprocesses.  The
> >>> latter means that the TZDIR scrubbing isn't effective.
> >>
> >> I fail to see how removing env vars behind the program's back is
> >> conforming. I understand that the _intent_ is to improve security, but
> >> IMO any contract violation such as this is a potential cause of
> >> vulnerabilities in itself (e.g. as a silly example, suppose the child
> >> process you were executing is a tool that examines the environment and
> >> exits with 0/1 to tell if the environment contained anything
> >> dangerous).
> > 
> > I can't help but agree. Removing env vars is a bad idea, ignoring them
> > is the only way I'd handle this.
> 
> On the other hand, looking at TZDIR at all is non-confirming as well.

Are you sure? The way in which the TZ is processed when it's not a
POSIX TZ string is implementation-defined. Defining that to include
processing of the TZDIR environment variable is perfectly acceptable.
These interfaces are already permitted to access the environment so
there's no issue with concurrent environment access.

Rich
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]