[37/59] Tighten setuid TZif file name check

Message ID 20250105055750.1668721-38-eggert@cs.ucla.edu (mailing list archive)
State New
Headers
Series time: sync mktime from Gnulib |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent

Commit Message

Paul Eggert Jan. 5, 2025, 5:57 a.m. UTC
  * time/tzfile.c (__tzfile_read): In a setuid program, reject TZ
settings like "/usr/share/zoneinfobad/Foo" which have a prefix
"/usr/share/zoneinfo" but do not refer to /usr/share/zoneinfo/*.
---
 time/tzfile.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
  

Patch

diff --git a/time/tzfile.c b/time/tzfile.c
index 678ecdd58b..8efe5b2ec9 100644
--- a/time/tzfile.c
+++ b/time/tzfile.c
@@ -140,7 +140,7 @@  decode64 (const void *ptr)
 bool
 __tzfile_read (const char *file)
 {
-  static const char default_tzdir[] = TZDIR;
+  static const char default_tzdir[] = TZDIR "/";
   tzidx isstdcnt, isutcnt;
   FILE *f;
   union { struct tzhead tzhead; tzidx tzidx_aligned; } u;
@@ -178,6 +178,7 @@  __tzfile_read (const char *file)
 	tzdir = default_tzdir;
 
       size_t tzdirlen = strlen (tzdir);
+      tzdirlen -= tzdir[tzdirlen - 1] == '/';
       size_t filelen = strlen (file);
       new = malloc (tzdirlen + 1 + filelen + 1);
       if (new == NULL)