public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface
@ 2014-12-15 18:45 fweimer at redhat dot com
2014-12-15 18:52 ` [Bug libc/17715] " fweimer at redhat dot com
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-12-15 18:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
Bug ID: 17715
Summary: Robustify TZ file parser and reduce attack surface
Product: glibc
Version: 2.21
URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=7727
05
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Flags: security+
Created attachment 8016
--> https://sourceware.org/bugzilla/attachment.cgi?id=8016&action=edit
crashtz
After this Debian bug report,
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705>
we should clean up the TZ file parser and investigate ways to reduce its attack
surface. For example, POSIX does not require that an absolute path can be
specified in the TZ environment variable. We already clear TZDIR in AT_SECURE
mode, so accepting absolute files here may be a glibc bug (like the directory
traversal in the locale code, bug 17137).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
@ 2014-12-15 18:52 ` fweimer at redhat dot com
2014-12-15 19:12 ` joseph at codesourcery dot com
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-12-15 18:52 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
The crashtz attachement crashes tzset on i386 when the TZ environment variable
points to it (as an absolute path), in a potentially exploitable manner.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
2014-12-15 18:52 ` [Bug libc/17715] " fweimer at redhat dot com
@ 2014-12-15 19:12 ` joseph at codesourcery dot com
2014-12-15 19:25 ` fweimer at redhat dot com
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: joseph at codesourcery dot com @ 2014-12-15 19:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
The code is not supposed to accept paths outside the default TZDIR at all
in secure mode:
/* We must not allow to read an arbitrary file in a setuid
program. So we fail for any file which is not in the
directory hierachy starting at TZDIR
and which is not the system wide default TZDEFAULT. */
if (__libc_enable_secure
&& ((*file == '/'
&& memcmp (file, TZDEFAULT, sizeof TZDEFAULT)
&& memcmp (file, default_tzdir, sizeof (default_tzdir) - 1))
|| strstr (file, "../") != NULL))
/* This test is certainly a bit too restrictive but it should
catch all critical cases. */
goto ret_free_transitions;
Is the security risk that someone might be able to provide a TZ string to
a program that (a) is running as another user (or on another system), but
(b) is not in __libc_enable_secure mode, and (c) where a file with
attacker-controlled problematic contents is readable by that user on that
system at a known path?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
2014-12-15 18:52 ` [Bug libc/17715] " fweimer at redhat dot com
2014-12-15 19:12 ` joseph at codesourcery dot com
@ 2014-12-15 19:25 ` fweimer at redhat dot com
2014-12-16 9:12 ` fweimer at redhat dot com
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-12-15 19:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to joseph@codesourcery.com from comment #2)
> Is the security risk that someone might be able to provide a TZ string to
> a program that (a) is running as another user (or on another system), but
> (b) is not in __libc_enable_secure mode, and (c) where a file with
> attacker-controlled problematic contents is readable by that user on that
> system at a known path?
Yes, I consider this to be a risk. The current behavior is at least
inconsistent: we clear TZDIR to suppress its propagation, but we propagate
absolute paths in TZ.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
` (2 preceding siblings ...)
2014-12-15 19:25 ` fweimer at redhat dot com
@ 2014-12-16 9:12 ` fweimer at redhat dot com
2014-12-16 10:38 ` fweimer at redhat dot com
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-12-16 9:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |fweimer at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
` (3 preceding siblings ...)
2014-12-16 9:12 ` fweimer at redhat dot com
@ 2014-12-16 10:38 ` fweimer at redhat dot com
2015-04-24 15:37 ` fweimer at redhat dot com
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-12-16 10:38 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
The issue appears to be related to lack of checking of num_isstd, num_isgmt in
__tzfile_read. The code is difficult to review, and this code may have other
issues.
There is also an unbounded alloca further down (in the sizeof (time_t) == 4
case), which also needs to be changed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
` (4 preceding siblings ...)
2014-12-16 10:38 ` fweimer at redhat dot com
@ 2015-04-24 15:37 ` fweimer at redhat dot com
2015-04-27 17:44 ` fweimer at redhat dot com
2015-04-27 17:45 ` fweimer at redhat dot com
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2015-04-24 15:37 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in glibc 2.22.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
` (5 preceding siblings ...)
2015-04-24 15:37 ` fweimer at redhat dot com
@ 2015-04-27 17:44 ` fweimer at redhat dot com
2015-04-27 17:45 ` fweimer at redhat dot com
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2015-04-27 17:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=18333
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/17715] Robustify TZ file parser and reduce attack surface
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
` (6 preceding siblings ...)
2015-04-27 17:44 ` fweimer at redhat dot com
@ 2015-04-27 17:45 ` fweimer at redhat dot com
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2015-04-27 17:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17715
--- Comment #7 from Florian Weimer <fweimer at redhat dot com> ---
Note: When backporting, also include commits
cc8dcf96e71dd643f929e32150904cd6ad69efa8 and
5cffc05ed5c7fea312f2822d388afc025d03c08a. See bug 18333.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2015-04-27 17:45 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-15 18:45 [Bug libc/17715] New: Robustify TZ file parser and reduce attack surface fweimer at redhat dot com
2014-12-15 18:52 ` [Bug libc/17715] " fweimer at redhat dot com
2014-12-15 19:12 ` joseph at codesourcery dot com
2014-12-15 19:25 ` fweimer at redhat dot com
2014-12-16 9:12 ` fweimer at redhat dot com
2014-12-16 10:38 ` fweimer at redhat dot com
2015-04-24 15:37 ` fweimer at redhat dot com
2015-04-27 17:44 ` fweimer at redhat dot com
2015-04-27 17:45 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).