From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 127766 invoked by alias); 15 Nov 2016 01:21:28 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 127689 invoked by uid 89); 15 Nov 2016 01:21:27 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY autolearn=no version=3.3.2 spammy=Western, investigating, thoroughly, displays X-HELO: aev204.rev.netart.pl Date: Tue, 15 Nov 2016 01:21:00 -0000 From: Rafal Luzynski Reply-To: Rafal Luzynski To: Andreas Schwab Cc: libc-alpha@sourceware.org, Florian Weimer Message-ID: <889064307.140264.1479172873339@poczta.nazwa.pl> In-Reply-To: <87k2cbuoq9.fsf@linux-m68k.org> References: <758885038.1799972.1477615768169@poczta.nazwa.pl> <71b7640e-55b0-06a5-1dff-b0fcbaf0eea9@redhat.com> <1458120697.2205845.1478343189427@poczta.nazwa.pl> <238ab162-7ff7-d90e-9f95-630ac413a064@redhat.com> <579374375.2202122.1478605156225@poczta.nazwa.pl> <36cfa35f-bd1c-d880-ef85-185d07096c8d@redhat.com> <1326125332.562051.1478737983449@poczta.nazwa.pl> <9e1a0812-56fc-a002-a12c-59d7882cf19f@redhat.com> <856824585.71033.1478803337086@poczta.nazwa.pl> <87k2cbuoq9.fsf@linux-m68k.org> Subject: Re: [RFC][PATCH v4 06/11] Provide backward compatibility for strftime family (bug 10871). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Originating-Client: com.openexchange.ox.gui.dhtml X-SW-Source: 2016-11/txt/msg00486.txt.bz2 10.11.2016 20:19 Andreas Schwab wrote: > > > On Nov 10 2016, Rafal Luzynski wrote: > > > I was investigating these cases long ago and in Linux only, > > sorry if I'm inaccurate and please tell me if an actual investigation > > is needed again. I don't know if FreeBSD uses the same GNU coreutils > > as Linux does but if it does then it's not a surprise if some bugs > > are common. > > FreeBSD generally does not use GNU tools. Here is the source for date, > for example: > > https://svnweb.freebsd.org/base/head/bin/date/ > > Andreas. Thank you for this link, Andreas. I took the opportunity to analyze the problem more thoroughly. 1. date utility in FreeBSD actually calls strftime() directly which makes it vulnerable to memory overflow if the format string is maliciously long, an issue which has been fixed in glibc a while ago. That means that whole implementation of date format is inside strftime(). The default format for a date is "%+" (not supported in glibc2) which uses whatever is provided in locale data as date_fmt field. 2. In case of Catalan language, date_fmt and other formats had many changes this year but the additional unnecessary "de" before the month name has been added only in the last commit, on Aug 13, 2016. It did not exist before. Florian, your FreeBSD says it's release 11.0 from Sep 29, 2016. All this looks like you have spotted a bug, not present in the older releases and not yet fixed. I don't know why this change has been introduced, the commit comment says that the time data from CLDR are not good but does not explain where the format containing the additional "de" comes from. Catalan language has been added to FreeBSD only in October 2015. While at this, it seems strange to me that it is listed as ca_IT rather than ca_ES but I guess it does work anyway. 3. In case of cal utility I'm not sure if it's a core part of FreeBSD because FreeBSD manuals say that ncal is its native cal implementation. I'm not sure where cal comes from. If it comes from Linux or from another non-BSD source then it may have the same problems I mentioned before: it displays nl_langinfo(MON_1+x) which may return a month name in a genitive form (or whatever is appropriate when printing a month name in a full date context but not standalone), one of those issues which will be introduced by my proposed change. At the same time, ncal uses wcsprintf("%OB") - correctly! 4. Unfortunately, there seem to be no more Western European languages supported in FreeBSD and featuring any difference between %B and %OB months names. Please note that whether we implement nominative (standalone) cases as %OB/ALTMON_x and genitive (full date) as %B/MON_x or the other way round it does not change the vulnerability to the incorrect format strings. If the format string for Catalan (or any other similar language) contains additional "de" while the month name is already in its genitive form then whole format string becomes incorrect no matter which implementation we choose. Regards, Rafal