I was asked to expand the audit I performed earlier (summarized in
comment #5 above). I reviewed version 198-0ubuntu0ppa2 from pitti's PPA.
Again, this is not intended to be a complete audit. Not everything I found
is a security issue, I'm just reporting things that looked surprising to me.
timedated
- Forces /etc/localtime to symlink
- Racecondition between valid_timezone() and write_data_timezone()
low risk because ../usr/share/zoneinfo/ is prepended, untrusted accounts
shouldn't have write access here
- hwclock_set_timezone() and hwclock_reset_timezone() look misused or abused:
both are used to 'seal' the Linux kernel's magic settimeofday(2) handling to
adjust for CMOS-based clock being set to local time (windows) or UTC (unix).
The 'tz' variable should otherwise be unused. So calling these functions
multiple times in one boot is probably useless.
- write_data_local_rtc() appears to leave 'w' without terminating NUL
- SetTime timespec_store() doesn't appear to account for wraparound
- Many strings in timedatectl.c aren't localized
hostnamed
- read_full_file() realloc grows buf by one byte each loop iteration
this will be bad performance for files between 4K and 4M.
- hostname_is_valid() will allow invalid names such as '.' or '..' or '_hi'
- Many strings in hostnamectl.c aren't localized
ACK for including both timedated and hostnamed in main, provided that
upstream is consulted for the settimeofday(2) issues, timespec_store()
wraparound issue, and hostname_is_valid() issue.
I was asked to expand the audit I performed earlier (summarized in
comment #5 above). I reviewed version 198-0ubuntu0ppa2 from pitti's PPA.
Again, this is not intended to be a complete audit. Not everything I found
is a security issue, I'm just reporting things that looked surprising to me.
timedated
- Forces /etc/localtime to symlink timezone( ) share/zoneinfo/ is prepended, untrusted accounts set_timezone( ) and hwclock_ reset_timezone( ) look misused or abused: local_rtc( ) appears to leave 'w' without terminating NUL
- Racecondition between valid_timezone() and write_data_
low risk because ../usr/
shouldn't have write access here
- hwclock_
both are used to 'seal' the Linux kernel's magic settimeofday(2) handling to
adjust for CMOS-based clock being set to local time (windows) or UTC (unix).
The 'tz' variable should otherwise be unused. So calling these functions
multiple times in one boot is probably useless.
- write_data_
- SetTime timespec_store() doesn't appear to account for wraparound
- Many strings in timedatectl.c aren't localized
hostnamed
- read_full_file() realloc grows buf by one byte each loop iteration
this will be bad performance for files between 4K and 4M.
- hostname_is_valid() will allow invalid names such as '.' or '..' or '_hi'
- Many strings in hostnamectl.c aren't localized
ACK for including both timedated and hostnamed in main, provided that
upstream is consulted for the settimeofday(2) issues, timespec_store()
wraparound issue, and hostname_is_valid() issue.