56 lines
1.4 KiB
Diff
56 lines
1.4 KiB
Diff
From 37ae2320809cb16afa9dacd8e5ea317ae216ee36 Mon Sep 17 00:00:00 2001
|
|
From: Samanta Navarro <ferivoz@riseup.net>
|
|
Date: Fri, 27 Jan 2023 11:57:51 +0000
|
|
Subject: [PATCH] Correctly handle illegal system file in tz
|
|
|
|
If the file referenced by ENV_TZ has a zero length string, then an out
|
|
of boundary write occurs. Also the result can be wrong because it is
|
|
assumed that the file will always end with a newline.
|
|
|
|
Only override a newline character with '\0' to avoid these cases.
|
|
|
|
This cannot be considered to be security relevant because login.defs
|
|
and its contained references to system files should be trusted to begin
|
|
with.
|
|
|
|
Proof of Concept:
|
|
|
|
1. Compile shadow's su with address sanitizer and --without-libpam
|
|
|
|
2. Setup your /etc/login.defs to contain ENV_TZ=/etc/tzname
|
|
|
|
3. Prepare /etc/tzname to contain a '\0' byte at the beginning
|
|
|
|
`python -c "print('\x00')" > /etc/tzname`
|
|
|
|
4. Use su
|
|
|
|
`su -l`
|
|
|
|
You can see the following output:
|
|
|
|
`tz.c:45:8: runtime error: index 18446744073709551615 out of bounds for type 'char [8192]'`
|
|
|
|
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
|
|
---
|
|
libmisc/tz.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libmisc/tz.c b/libmisc/tz.c
|
|
index f3f5733e..9f3a41f2 100644
|
|
--- a/libmisc/tz.c
|
|
+++ b/libmisc/tz.c
|
|
@@ -42,7 +42,8 @@
|
|
|
|
strcpy (tzbuf, def_tz);
|
|
} else {
|
|
- tzbuf[strlen (tzbuf) - 1] = '\0';
|
|
+ /* Remove optional trailing '\n'. */
|
|
+ tzbuf[strcspn (tzbuf, "\n")] = '\0';
|
|
}
|
|
|
|
if (NULL != fp) {
|
|
--
|
|
2.27.0
|
|
|