From: Sami Kerola <kerolasa@iki.fi>
Date: Wed, 27 Jul 2016 18:47:38 +0000 (+0100)
Subject: hwclock: make --date=argument less prone to injection
X-Git-Tag: v2.30-rc1~267^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c65888e823a1d54b7198f6e75919e7a13867bca;p=thirdparty%2Futil-linux.git

hwclock: make --date=argument less prone to injection

This change should not improve security much.  One hopes hwclock --set is
restricted for root only.  Where hwclock is allowed to run via sudo, or has
setuid setup, there is a pretty easy privilege escalation via subshell.

$ sudo ./hwclock --set --date='2000-10-20$(touch /tmp/hwclock.inject)'

Reviewed-by: J William Piggott <elseifthen@gmx.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
---

diff --git a/sys-utils/hwclock.c b/sys-utils/hwclock.c
index 98933316f0..8716946d63 100644
--- a/sys-utils/hwclock.c
+++ b/sys-utils/hwclock.c
@@ -672,10 +672,12 @@ static int interpret_date_string(const struct hwclock_control *ctl,
 	}
 
 	/* Quotes in date_opt would ruin the date command we construct. */
-	if (strchr(ctl->date_opt, '"') != NULL) {
+	if (strchr(ctl->date_opt, '"') != NULL ||
+	    strchr(ctl->date_opt, '`') != NULL ||
+	    strchr(ctl->date_opt, '$') != NULL) {
 		warnx(_
 		      ("The value of the --date option is not a valid date.\n"
-		       "In particular, it contains quotation marks."));
+		       "In particular, it contains illegal character(s)."));
 		return retcode;
 	}