Date: Fri, 10 Jan 1997 14:19:50 -0500 From: Roland McGrath <roland@frob.com> I can think of a third way to combat that problem: make the code that reads the data files robust, so it checks for invalid data and makes sure it can never crash due to bogus data. That is the best way, and in fact the tz code is supposed to do that already. I just took a quick look and I couldn't see any holes in its checking, though I didn't look that carefully. The original bug report is too sketchy to see what the problem might be. I could not reproduce it with the elsie localtime.c under Solaris 2.5.1. Perhaps the problem is in the FreeBSD edition rather than the elsie code? I just compared their localtime.c implementations (using FreeBSD-current), and the only differences that I see are: * The FreeBSD edition has mutexes to support reentrant variants like localtime_r. * The FreeBSD edition refuses to read a timezone file if it is not a regular file. (I don't know why this restriction is needed.) * The FreeBSD edition is missing a fix for the Posix case. Perhaps the bug is in the FreeBSD mutex handling. For example, gmtload is sometimes protected by gmt_mutex, and sometimes by lcl_mutex; this sounds odd to me, but I don't understand FreeBSD mutexes so I could just be misunderstanding things. Perhaps the elsie version should add support for localtime_r and friends; this might help avoid future bugs in this area. localtime_r is now officially part of Posix, after all. From: Adam Kubicki <mikee@solozzo.tele.pw.edu.pl> Date: Thu, 09 Jan 1997 23:02:44 MET And, setting TZ to /etc/master.passwd you will find whole master.passwd in core file (touch login.core first to fool default umask/owner core flags). I presume that /etc/master.password is not supposed to be readable to ordinary users. That's odd. In both elsie tz and FreeBSD-current, tzload uses access() as well as open() to check whether the file is readable. There is of course a window of vulnerability here, but it doesn't sound like Kubicki is trying to exploit it. Perhaps he's using some other implementation of localtime?