[J. Wunsch: hey (fwd)]

Paul Eggert eggert at twinsun.com
Fri Jan 10 23:38:45 UTC 1997 

   Date: Fri, 10 Jan 1997 14:19:50 -0500
   From: Roland McGrath <roland at frob.com>

   I can think of a third way to combat that problem: make the code that reads
   the data files robust, so it checks for invalid data and makes sure it can
   never crash due to bogus data.

That is the best way, and in fact the tz code is supposed to do that
already.  I just took a quick look and I couldn't see any holes in its
checking, though I didn't look that carefully.  The original bug
report is too sketchy to see what the problem might be.  I could not
reproduce it with the elsie localtime.c under Solaris 2.5.1.

Perhaps the problem is in the FreeBSD edition rather than the elsie
code?  I just compared their localtime.c implementations (using
FreeBSD-current), and the only differences that I see are:

	* The FreeBSD edition has mutexes to support reentrant variants
	  like localtime_r.

	* The FreeBSD edition refuses to read a timezone file if it is
	  not a regular file.  (I don't know why this restriction is
	  needed.)

	* The FreeBSD edition is missing a fix for the Posix case.

Perhaps the bug is in the FreeBSD mutex handling.  For example,
gmtload is sometimes protected by gmt_mutex, and sometimes by
lcl_mutex; this sounds odd to me, but I don't understand FreeBSD
mutexes so I could just be misunderstanding things.


Perhaps the elsie version should add support for localtime_r and
friends; this might help avoid future bugs in this area.  localtime_r
is now officially part of Posix, after all.


   From: Adam Kubicki <mikee at solozzo.tele.pw.edu.pl>
   Date: Thu, 09 Jan 1997 23:02:44 MET

   And, setting TZ to /etc/master.passwd you will find whole master.passwd
   in core file (touch login.core first to fool default umask/owner core 
   flags).

I presume that /etc/master.password is not supposed to be readable to
ordinary users.  That's odd.  In both elsie tz and FreeBSD-current,
tzload uses access() as well as open() to check whether the file is
readable.  There is of course a window of vulnerability here, but it
doesn't sound like Kubicki is trying to exploit it.

Perhaps he's using some other implementation of localtime?

More information about the tz mailing list