[Bug libc/17715] New: Robustify TZ file parser and reduce attack surface

[Bug libc/17715] New: Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

            Bug ID: 17715
           Summary: Robustify TZ file parser and reduce attack surface
           Product: glibc
           Version: 2.21
               URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=7727
                    05
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

Created attachment 8016
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8016&action=edit
crashtz

After this Debian bug report,

  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705>

we should clean up the TZ file parser and investigate ways to reduce its attack
surface.  For example, POSIX does not require that an absolute path can be
specified in the TZ environment variable.  We already clear TZDIR in AT_SECURE
mode, so accepting absolute files here may be a glibc bug (like the directory
traversal in the locale code, bug 17137).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
The crashtz attachement crashes tzset on i386 when the TZ environment variable
points to it (as an absolute path), in a potentially exploitable manner.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[joseph at codesourcery dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
The code is not supposed to accept paths outside the default TZDIR at all 
in secure mode:

      /* We must not allow to read an arbitrary file in a setuid
         program.  So we fail for any file which is not in the
         directory hierachy starting at TZDIR
         and which is not the system wide default TZDEFAULT.  */
      if (__libc_enable_secure
          && ((*file == '/'
               && memcmp (file, TZDEFAULT, sizeof TZDEFAULT)
               && memcmp (file, default_tzdir, sizeof (default_tzdir) - 1))
              || strstr (file, "../") != NULL))
        /* This test is certainly a bit too restrictive but it should
           catch all critical cases.  */
        goto ret_free_transitions;

Is the security risk that someone might be able to provide a TZ string to 
a program that (a) is running as another user (or on another system), but 
(b) is not in __libc_enable_secure mode, and (c) where a file with 
attacker-controlled problematic contents is readable by that user on that 
system at a known path?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to joseph@codesourcery.com from comment #2)
> Is the security risk that someone might be able to provide a TZ string to 
> a program that (a) is running as another user (or on another system), but 
> (b) is not in __libc_enable_secure mode, and (c) where a file with 
> attacker-controlled problematic contents is readable by that user on that 
> system at a known path?

Yes, I consider this to be a risk.  The current behavior is at least
inconsistent: we clear TZDIR to suppress its propagation, but we propagate
absolute paths in TZ.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
The issue appears to be related to lack of checking of num_isstd, num_isgmt in
__tzfile_read.  The code is difficult to review, and this code may have other
issues.

There is also an unbounded alloca further down (in the sizeof (time_t) == 4
case), which also needs to be changed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in glibc 2.22.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=18333

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17715] Robustify TZ file parser and reduce attack surface

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17715

--- Comment #7 from Florian Weimer <fweimer at redhat dot com> ---
Note: When backporting, also include commits
cc8dcf96e71dd643f929e32150904cd6ad69efa8 and
5cffc05ed5c7fea312f2822d388afc025d03c08a.  See bug 18333.

-- 
You are receiving this mail because:
You are on the CC list for the bug.