From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 30259 invoked from network); 5 Sep 2021 21:26:28 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 5 Sep 2021 21:26:28 -0000
Received: (qmail 3332 invoked by uid 550); 5 Sep 2021 21:26:26 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 3311 invoked from network); 5 Sep 2021 21:26:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=opensmtpd; bh=e5BWmI9j2D
	SOsK3Xf26zsUIaaKXPQHRGX6h310w8ZBg=; h=in-reply-to:references:from:
	subject:to:date; d=soeren-tempel.net; b=S9zGA4Y9pt/1oVztvZa+l8lU0Q13ER
	S5XYKns4/Z4mfzwvdhdfHBLL0mb90BQqXbEw8jeXQ2n8Bp/35yt7nrWsdo1TAQKM9j4twW
	43z6eJXv3+d1/8dP7bgsrY61nTPpOg2fPXh4ahNWUiFxN4uhIpTId8tqZjClJsovxDeJ2c
	0=
Date: Sun, 05 Sep 2021 23:26:08 +0200
To: musl@lists.openwall.com
From: =?UTF-8?Q?S=C3=B6ren?= Tempel <soeren@soeren-tempel.net>
References: <2R2YR9WZKQ66Q.2ITJ44PGSICVN@8pit.net>
 <20210905173949.GE3090@voyager>
In-Reply-To: <20210905173949.GE3090@voyager>
Message-Id: <38ZW90QHEA9XD.3GB2I1P1ZLKDB@8pit.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [musl] tzset() cannot handle arbitrary inputs

Markus Wichmann <nullplan@gmx.net> wrote:
> Hi all,

Hi,

> The user setting TZ is also the one getting the crashes. The
> assumption is less that the input is always valid, but more that if it
> is invalid, the user will only be hacking themselves.

This is only true under the assumption that $TZ itself is never set to a
value derived from an untrusted source. See the aforementioned calcurse
code for example where this assumption does not hold. If you search
GitHub or use codesearch.debian.net you will find plenty additional
examples where people "abuse" $TZ to query information about zonefiles
by name. Please also note that these spatial memory safety violations
are UB and thus might or might not lead to a crash.

Greetings,
S=C3=B6ren