[J. Wunsch: hey (fwd)]

Garrett Wollman wollman at lcs.mit.edu
Fri Jan 10 18:34:22 UTC 1997 

This is something of a security bug report, but the security problem
is not necessarily a bug in the timezone code.  However, I do think
it's a bug that our code (which is not the very latest tzcode) will
crash if the TZ variable is set to point to a non-TZ file.  I can
think of two ways to combat this:

1) Disallow selection of files containing `.' or starting with a
leading `/' unless the name is the same as TZDEFAULT.

2) Use some of the tzh_reserved[] bytes for a magic number.

(2) is more flexible, but still allows for a malicious user to cause a
core dump.  I prefer (1) and will probably implement that unless
someone can provide a good reason not to.

------- start of forwarded message (RFC 934 encapsulation) -------
From: J Wunsch <j at ida.interface-business.de>
To: wollman at freebsd.org
Subject: hey (fwd)
Date: Fri, 10 Jan 1997 12:28:15 +0100 (MET)

Hi Garrett,

can you deal in time with this problem?  Otherwise, i'd look into
it myself.

- ----- Forwarded message from Adam Kubicki -----

Message-Id: <199701092155.WAA12271 at innocence.interface-business.de>
From: Adam Kubicki <mikee at solozzo.tele.pw.edu.pl>
Subject: hey
To: joerg_wunsch at interface-business.de
Date: Thu, 09 Jan 1997 23:02:44 MET
In-Reply-To: <199612171142.MAA11937 at ida.interface-business.de>; from "J Wunsch" at Dec 17, 96 12:42 (noon)
X-Mailer: Elm [revision: 112.2]

hi,

there is a bug in tzset() function. setting TZ environment variable
to some file, you can cause program to dump core - variables read
from this file are used as various offsets in settzname() thus
you get sigsegv. Because suid programs dont dump core, its not so
dangerous, but you can export TZ in telnet and force login to dump core.
gettimeoftheday() in login.c is called after loging in, but before setuid(uid)
so you will get login.core in you home directory. this core file will
follow symlink allowing you to overwrite any file on system.
And, setting TZ to /etc/master.passwd you will find whole master.passwd
in core file (touch login.core first to fool default umask/owner core 
flags).
I'be be glad to get a smart patch from you, as quick fix i disabled TZ
in telnetd.

- -adam

- ----- End of forwarded message from Adam Kubicki -----

- -- 
J"org Wunsch					       Unix support engineer
joerg_wunsch at interface-business.de       http://www.interface-business.de/~j
------- end -------

More information about the tz mailing list