This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] tzset robustness [BZ#17715]

From: Rich Felker <dalias at libc dot org>
To: Florian Weimer <fweimer at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>
Date: Thu, 15 Jan 2015 08:39:11 -0500
Subject: Re: [PATCH] tzset robustness [BZ#17715]
Authentication-results: sourceware.org; auth=none
References: <54B6E99E dot 4030109 at redhat dot com>

On Wed, Jan 14, 2015 at 11:11:42PM +0100, Florian Weimer wrote:
> This patch removes two different unbounded alloca calls, and also
> fixes the TZ parser issue identified here:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705
> 
> This is not my preferred approach.  I would rather like to sanitize
> TZ in AT_SECURE mode, so that specifying a file from a non-default
> TZDIR does not work.  However, this alternative approach is a bit
> involved because the current ld.so setup code is not fit to handle
> content-dependent environment variable scrubbing.

Doing the scrubbing in the dynamic linker does not seem appropriate
anyway. It wouldn't solve the problem for static-linked binaries and
it would wrongly remove environment entries rather than just ignoring
them. Instead, tzset should be doing its own path enforcement based on
the presence of getauxval(AT_SECURE) or similar (e.g. the proposed
issetugid function).

Rich

Follow-Ups:
- Re: [PATCH] tzset robustness [BZ#17715]
  - From: Florian Weimer

References:
- [PATCH] tzset robustness [BZ#17715]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]