From proff@profane.iq.org  Sat Jan 25 09:53:25 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA09963
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 25 Jan 1997 09:53:22 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id EAA13540;
          Sun, 26 Jan 1997 04:53:49 +1100 (EST)
Message-Id: <199701251753.EAA13540@profane.iq.org>
Date: Sun, 26 Jan 1997 04:53:49 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: small security hole in localtime.c
X-Send-Pr-Version: 3.2

>Number:         2583
>Category:       bin
>Synopsis:       small security hole in localtime.c
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 10:00:01 PST 1997
>Closed-Date:    Sun Mar 23 23:12:04 MST 1997
>Last-Modified:  Sun Mar 23 23:12:50 MST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	various suid programs use directly, or indirectly ctime(3) fuctions. Many
	(all?) of these functions will eventually call tzload(). if the TZ enviromental
	variable starts with :*\/ (that's a regex..) then the TZ information
	is fetched from the specified file. There is an access() race condition
	on the file. If the race is won by the attacker, the file is read as
	root. If the task subsequently goes euid==uid==user, parts of the
	information can be discovered. Even if the process always runs
	with euid!=uid, it may be possible to infer the initial contents of the
	TZ file by the time shift in the suid program.

	

>How-To-Repeat:

	

>Fix:
	
	


--- src/lib/libc/stdtime/localtime.c.orig	Tue Jan 14 04:12:23 1997
+++ src/lib/libc/stdtime/localtime.c	Sun Jan 26 04:51:42 1997
@@ -305,8 +305,10 @@
 				doaccess = TRUE;
 			name = fullname;
 		}
-		if (doaccess && access(name, R_OK) != 0)
-			return -1;
+		if (doaccess &&
+		    (getuid() != geteuid() ||
+		     getgid() != getegid()) )
+		     	return -1;
 		if ((fid = open(name, OPEN_MODE)) == -1)
 			return -1;
 		if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode))
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:12:45 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
Responsible-Changed-From-To: freebsd-bugs->freebsd-bugs 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Mon Jan 27 10:31:52 PST 1997 
Responsible-Changed-Why:  
It didn't. 
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sat Feb 8 23:43:21 MST 1997 
Responsible-Changed-Why:  
I'll fix this. 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sun Mar 23 23:12:04 MST 1997 
State-Changed-Why:  

fixed 
>Unformatted:
