oss-sec mailing list archives
Re: Abusing TZ for fun (and little profit)
From: Jakub Wilk <jwilk () jwilk net>
Date: Sun, 14 Dec 2014 17:20:28 +0100
* Jakub Wilk <jwilk () jwilk net>, 2014-10-16, 00:35:
By default, sudo preserves the TZ variable[1] from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file.
Oh, and the glibc's tzfile parser is apparently not very robust: https://bugs.debian.org/772705 -- Jakub Wilk
Current thread:
- Abusing TZ for fun (and little profit) Jakub Wilk (Oct 15)
- Re: Abusing TZ for fun (and little profit) Dave Horsfall (Oct 15)
- Re: Abusing TZ for fun (and little profit) Dag-Erling Smørgrav (Oct 16)
- Re: Abusing TZ for fun (and little profit) Dan McDonald (Oct 15)
- Re: Abusing TZ for fun (and little profit) Jakub Wilk (Dec 14)
- Re: Abusing TZ for fun (and little profit) Dave Horsfall (Oct 15)