* NEWS: Mention security.
* localtime.c (O_REGULAR): Default to 0.
(tzloadbody): Open TZif files with O_REGULAR.
Suppress unnecessary call to 'stat' if O_REGULAR is present.
---
NEWS | 3 +++
localtime.c | 7 +++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index 64d32bf3..1ed9b2eb 100644
--- a/NEWS
+++ b/NEWS
@@ -40,6 +40,9 @@ Unreleased, experimental changes
and reject relative names containing ".." directory components;
formerly, only privileged programs did those two things.
These changes were inspired by similar behavior in FreeBSD.
+ On NetBSD, unprivileged programs now use O_REGULAR to check
+ whether a TZ setting starting with '/' names a regular file,
+ avoiding a minor security race still present elsewhere.
TZ strings taken from tzalloc arguments are now treated with
no less caution than TZ strings taken from the environment, as
the old undocumented behavior would have been hard to explain.
diff --git a/localtime.c b/localtime.c
index 0d2d2a93..b85941f2 100644
--- a/localtime.c
+++ b/localtime.c
@@ -355,6 +355,9 @@ static int openat(int dd, char const *path, int oflag) {
unreachable (); }
#ifndef O_PATH
# define O_PATH 0
#endif
+#ifndef O_REGULAR
+# define O_REGULAR 0
+#endif
#ifndef O_RESOLVE_BENEATH
# define O_RESOLVE_BENEATH 0
#endif
@@ -900,7 +903,7 @@ tzloadbody(char const *name, struct state *sp, char
tzloadflags,
register int tzheadsize = sizeof(struct tzhead);
int dd = AT_FDCWD;
int oflags = (O_RDONLY | O_BINARY | O_CLOEXEC | O_CLOFORK
- | O_IGNORE_CTTY | O_NOCTTY);
+ | O_IGNORE_CTTY | O_NOCTTY | O_REGULAR);
int err;
struct stat st;
st.st_ctime = 0;
@@ -927,7 +930,7 @@ tzloadbody(char const *name, struct state *sp, char
tzloadflags,
continue;
else if (issetugid())
return ENOTCAPABLE;
- else {
+ else if (!O_REGULAR) {
/* Check for devices, as their mere opening could have
unwanted side effects. Though racy, there is no
portable way to fix the races. This check is needed
--
2.48.1
