Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Sep 2021 19:39:49 +0200
From: Markus Wichmann <>
Subject: Re: tzset() cannot handle arbitrary inputs

Hi all,

I don't see any security issues here, only QoI issues. The user setting
TZ is also the one getting the crashes. The assumption is less that the
input is always valid, but more that if it is invalid, the user will
only be hacking themselves. Which is pointless. The user can at any
point provide a good definition of TZ, even if the site admin is a BOFH
that is deliberatly putting bad zone definitions into the zoneinfo

That said, the user is prevented from doing so if the login shell
crashes after a successful hack of the system, which is where the QoI
and security domains start to rub up against each other. Then again, an
attacker capable of implanting bad zone files has at least root access,
and can therefore just disable user accounts and change passwords. And
an attacker capable of setting the user's default TZ variable has user
access and can probably just create an RC file that quits the shell or
something. So a successful attacker has no need to detain themselves
with zone files or TZ parsers.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.