GitHub user Naveed8951 reported a potential (but unlikely) security
flaw due to undefined behavior in localtime.c after integer overflow.
The patches in this series should fix the reported problems.
Some of the problem occurred in a part of the localtime.c code that
was implementing a feature declared obsolete in TZDB release 2019b.
This feature let the sysadmin specify default DST rules for
DST-but-ruleless old-style POSIX settings like TZ="AST4ADT".
Rather than try to fix the feature this patch series removes it;
the feature is hardly ever used and would stop working in 2038 anyway.
As a result, tzcode by default uses current US DST for these settings,
with no opportunity for sysadmin override (though the default can be
overriden when tzcode is compiled). This behavior is already common
elsewhere.
Paul Eggert (6):
Add comment re UT offsets equal to -2**31
Document zic -p better
zic now warns about -p
Remove POSIXRULES installation option
Remove TZDEFRULES ("posixrules") from localtime.c
Fix remaining Naveed8951-reported overflows
Makefile | 28 +---
NEWS | 19 +++
localtime.c | 388 ++++++++++++++++++++++++----------------------------
newctime.3 | 4 +-
newtzset.3 | 29 +---
tzfile.5 | 7 +-
tzfile.h | 12 +-
zic.8 | 17 ++-
zic.c | 8 ++
9 files changed, 228 insertions(+), 284 deletions(-)
--
2.52.0
