Projects
openEuler:Mainline
shadow
_service:tar_scm:backport-Correctly-handle-ille...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-Correctly-handle-illegal-system-file-in-tz.patch of Package shadow
From 37ae2320809cb16afa9dacd8e5ea317ae216ee36 Mon Sep 17 00:00:00 2001 From: Samanta Navarro <ferivoz@riseup.net> Date: Fri, 27 Jan 2023 11:57:51 +0000 Subject: [PATCH] Correctly handle illegal system file in tz If the file referenced by ENV_TZ has a zero length string, then an out of boundary write occurs. Also the result can be wrong because it is assumed that the file will always end with a newline. Only override a newline character with '\0' to avoid these cases. This cannot be considered to be security relevant because login.defs and its contained references to system files should be trusted to begin with. Proof of Concept: 1. Compile shadow's su with address sanitizer and --without-libpam 2. Setup your /etc/login.defs to contain ENV_TZ=/etc/tzname 3. Prepare /etc/tzname to contain a '\0' byte at the beginning `python -c "print('\x00')" > /etc/tzname` 4. Use su `su -l` You can see the following output: `tz.c:45:8: runtime error: index 18446744073709551615 out of bounds for type 'char [8192]'` Signed-off-by: Samanta Navarro <ferivoz@riseup.net> --- libmisc/tz.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libmisc/tz.c b/libmisc/tz.c index f3f5733e..9f3a41f2 100644 --- a/libmisc/tz.c +++ b/libmisc/tz.c @@ -42,7 +42,8 @@ strcpy (tzbuf, def_tz); } else { - tzbuf[strlen (tzbuf) - 1] = '\0'; + /* Remove optional trailing '\n'. */ + tzbuf[strcspn (tzbuf, "\n")] = '\0'; } if (NULL != fp) { -- 2.27.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2