Re: [RFC][PATCH v4 06/11] Provide backward compatibility for strftime family (bug 10871).

[Rafal Luzynski <digitalfreak@lingonborough.com>]

10.11.2016 20:19 Andreas Schwab <schwab@linux-m68k.org> wrote:
>
>
> On Nov 10 2016, Rafal Luzynski <digitalfreak@lingonborough.com> wrote:
>
> > I was investigating these cases long ago and in Linux only,
> > sorry if I'm inaccurate and please tell me if an actual investigation
> > is needed again. I don't know if FreeBSD uses the same GNU coreutils
> > as Linux does but if it does then it's not a surprise if some bugs
> > are common.
>
> FreeBSD generally does not use GNU tools. Here is the source for date,
> for example:
>
> https://svnweb.freebsd.org/base/head/bin/date/
>
> Andreas.

Thank you for this link, Andreas.  I took the opportunity to analyze the
problem more thoroughly.

1. date utility in FreeBSD actually calls strftime() directly which makes
   it vulnerable to memory overflow if the format string is maliciously
   long, an issue which has been fixed in glibc a while ago.  That means
   that whole implementation of date format is inside strftime().
   The default format for a date is "%+" (not supported in glibc2)
   which uses whatever is provided in locale data as date_fmt field.
2. In case of Catalan language, date_fmt and other formats had many
   changes this year but the additional unnecessary "de" before the
   month name has been added only in the last commit, on Aug 13, 2016.
   It did not exist before.  Florian, your FreeBSD says it's release 11.0
   from Sep 29, 2016.  All this looks like you have spotted a bug,
   not present in the older releases and not yet fixed.  I don't know
   why this change has been introduced, the commit comment says
   that the time data from CLDR are not good but does not explain where
   the format containing the additional "de" comes from.
   Catalan language has been added to FreeBSD only in October 2015.
   While at this, it seems strange to me that it is listed as ca_IT
   rather than ca_ES but I guess it does work anyway.
3. In case of cal utility I'm not sure if it's a core part of FreeBSD
   because FreeBSD manuals say that ncal is its native cal implementation.
   I'm not sure where cal comes from.  If it comes from Linux or from
   another non-BSD source then it may have the same problems I mentioned
   before: it displays nl_langinfo(MON_1+x) which may return a month
   name in a genitive form (or whatever is appropriate when printing
   a month name in a full date context but not standalone), one of
   those issues which will be introduced by my proposed change.
   At the same time, ncal uses wcsprintf("%OB") - correctly!
4. Unfortunately, there seem to be no more Western European languages
   supported in FreeBSD and featuring any difference between %B and %OB
   months names.

Please note that whether we implement nominative (standalone) cases
as %OB/ALTMON_x and genitive (full date) as %B/MON_x or the other
way round it does not change the vulnerability to the incorrect
format strings.  If the format string for Catalan (or any other
similar language) contains additional "de" while the month name
is already in its genitive form then whole format string becomes
incorrect no matter which implementation we choose.

Regards,

Rafal