Date: Sun, 5 Sep 2021 19:39:49 +0200 From: Markus Wichmann <nullplan@....net> To: musl@...ts.openwall.com Subject: Re: tzset() cannot handle arbitrary inputs Hi all, I don't see any security issues here, only QoI issues. The user setting TZ is also the one getting the crashes. The assumption is less that the input is always valid, but more that if it is invalid, the user will only be hacking themselves. Which is pointless. The user can at any point provide a good definition of TZ, even if the site admin is a BOFH that is deliberatly putting bad zone definitions into the zoneinfo database. That said, the user is prevented from doing so if the login shell crashes after a successful hack of the system, which is where the QoI and security domains start to rub up against each other. Then again, an attacker capable of implanting bad zone files has at least root access, and can therefore just disable user accounts and change passwords. And an attacker capable of setting the user's default TZ variable has user access and can probably just create an RC file that quits the shell or something. So a successful attacker has no need to detain themselves with zone files or TZ parsers. Ciao, Markus
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.