GitHub user Naveed8951 reported a potential (but unlikely) security flaw due to undefined behavior in localtime.c after integer overflow. The patches in this series should fix the reported problems. Some of the problem occurred in a part of the localtime.c code that was implementing a feature declared obsolete in TZDB release 2019b. This feature let the sysadmin specify default DST rules for DST-but-ruleless old-style POSIX settings like TZ="AST4ADT". Rather than try to fix the feature this patch series removes it; the feature is hardly ever used and would stop working in 2038 anyway. As a result, tzcode by default uses current US DST for these settings, with no opportunity for sysadmin override (though the default can be overriden when tzcode is compiled). This behavior is already common elsewhere. Paul Eggert (6): Add comment re UT offsets equal to -2**31 Document zic -p better zic now warns about -p Remove POSIXRULES installation option Remove TZDEFRULES ("posixrules") from localtime.c Fix remaining Naveed8951-reported overflows Makefile | 28 +--- NEWS | 19 +++ localtime.c | 388 ++++++++++++++++++++++++---------------------------- newctime.3 | 4 +- newtzset.3 | 29 +--- tzfile.5 | 7 +- tzfile.h | 12 +- zic.8 | 17 ++- zic.c | 8 ++ 9 files changed, 228 insertions(+), 284 deletions(-) -- 2.52.0