From: Samanta Navarro <ferivoz@riseup.net>
Date: Fri, 27 Jan 2023 11:57:51 +0000 (+0000)
Subject: Correctly handle illegal system file in tz
X-Git-Tag: 4.14.0-rc1~203
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37ae2320809cb16afa9dacd8e5ea317ae216ee36;p=thirdparty%2Fshadow.git

Correctly handle illegal system file in tz

If the file referenced by ENV_TZ has a zero length string, then an out
of boundary write occurs. Also the result can be wrong because it is
assumed that the file will always end with a newline.

Only override a newline character with '\0' to avoid these cases.

This cannot be considered to be security relevant because login.defs
and its contained references to system files should be trusted to begin
with.

Proof of Concept:

1. Compile shadow's su with address sanitizer and --without-libpam

2. Setup your /etc/login.defs to contain ENV_TZ=/etc/tzname

3. Prepare /etc/tzname to contain a '\0' byte at the beginning

`python -c "print('\x00')" > /etc/tzname`

4. Use su

`su -l`

You can see the following output:

`tz.c:45:8: runtime error: index 18446744073709551615 out of bounds for type 'char [8192]'`

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
---

diff --git a/libmisc/tz.c b/libmisc/tz.c
index f3f5733e3..9f3a41f28 100644
--- a/libmisc/tz.c
+++ b/libmisc/tz.c
@@ -42,7 +42,8 @@
 
 		strcpy (tzbuf, def_tz);
 	} else {
-		tzbuf[strlen (tzbuf) - 1] = '\0';
+		/* Remove optional trailing '\n'. */
+		tzbuf[strcspn (tzbuf, "\n")] = '\0';
 	}
 
 	if (NULL != fp) {