From e7d1013d41126edc36dd363af9e0ac0c99c5f895 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Fri, 19 Jun 2026 09:07:36 +0100
Subject: [PATCH] timezone: disallow directory traversal

Don't allow a timezone definition to go outside of it's directory

Reported by Hu Xinyao and NVIDIA Project Vanessa
---
 hooks/15-timezone | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hooks/15-timezone b/hooks/15-timezone
index 97ab18c9..3a905a0e 100644
--- a/hooks/15-timezone
+++ b/hooks/15-timezone
@@ -27,8 +27,16 @@ set_zoneinfo()
 		return 1
 	fi
 
+	# disallow directory traversal
+	case "$new_tzdb_timezone" in
+	\.\./*|*/\.\./*)
+		syslog warning "invalid timezone: $new_tzdb_timezone"
+		return 1
+		;;
+	esac
+
 	zone_file="$zoneinfo_dir/$new_tzdb_timezone"
-	if [ ! -e "$zone_file" ]; then
+	if [ ! -f "$zone_file" ]; then
 		syslog warning "no timezone definition for $new_tzdb_timezone"
 		return 1
 	fi
-- 
2.47.3