This change fixes another wart in unveil/pledge which wasn't resolved in the original design. pledge allows bypass-reading of /usr/share/zoneinfo/ files for TZ=zone but absolute path support remained a wart.
Once again, we have to remove a rarely used behavior of libc. During pledge and unveil propagation in programs, and even earlier with privsep development (meaning use of chroot), we added many early calls to tzset() in programs. Some programs stopped using chroot, and rely upon pledge and unveil instead. Many of those tzset() calls could potentially be removed because other libc functions can initialize late due to the zoneinfo directory bypass. When doing so, please remmber -portable versions will still need to perform the initialization calls early, and also the chroot case still needs early initialization also. Todd C. Miller <mill...@cvs.openbsd.org> wrote: > CVSROOT: /cvs > Module name: src > Changes by: mill...@cvs.openbsd.org 2022/09/21 09:57:49 > > Modified files: > lib/libc/time : localtime.c tzset.3 > > Log message: > tzset: ignore TZ if it contains an absolute path or issetugid(). > Reading time zone files from user-controlled paths can result in > pledge(2) or unveil(2) violations. We also ignore files that contain > a '.' character to avoid paths containing ".." or hidden files. > Work with and OK deraadt@ >