Improve TZ="/..." security and speed (NetBSD only)

eggert · eggert · commit 8e43ecbb2561 · 2025-10-28T16:39:13.000-07:00
* NEWS: Mention security.
* localtime.c (O_REGULAR): Default to 0.
(tzloadbody): Open TZif files with O_REGULAR.
Suppress unnecessary call to 'stat' if O_REGULAR is present.
diff --git a/NEWS b/NEWS
@@ -40,6 +40,9 @@ Unreleased, experimental changes
     and reject relative names containing ".." directory components;
     formerly, only privileged programs did those two things.
     These changes were inspired by similar behavior in FreeBSD.
+    On NetBSD, unprivileged programs now use O_REGULAR to check
+    whether a TZ setting starting with '/' names a regular file,
+    avoiding a minor security race still present elsewhere.
     TZ strings taken from tzalloc arguments are now treated with
     no less caution than TZ strings taken from the environment, as
     the old undocumented behavior would have been hard to explain.
diff --git a/localtime.c b/localtime.c
@@ -355,6 +355,9 @@ static int openat(int dd, char const *path, int oflag) { unreachable (); }
 #ifndef O_PATH
 # define O_PATH 0
 #endif
+#ifndef O_REGULAR
+# define O_REGULAR 0
+#endif
 #ifndef O_RESOLVE_BENEATH
 # define O_RESOLVE_BENEATH 0
 #endif
@@ -900,7 +903,7 @@ tzloadbody(char const *name, struct state *sp, char tzloadflags,
 	register int tzheadsize = sizeof(struct tzhead);
 	int dd = AT_FDCWD;
 	int oflags = (O_RDONLY | O_BINARY | O_CLOEXEC | O_CLOFORK
-		      | O_IGNORE_CTTY | O_NOCTTY);
+		      | O_IGNORE_CTTY | O_NOCTTY | O_REGULAR);
 	int err;
 	struct stat st;
 	st.st_ctime = 0;
@@ -927,7 +930,7 @@ tzloadbody(char const *name, struct state *sp, char tzloadflags,
 	      continue;
 	  else if (issetugid())
 	    return ENOTCAPABLE;
-	  else {
+	  else if (!O_REGULAR) {
 	    /* Check for devices, as their mere opening could have
 	       unwanted side effects.  Though racy, there is no
 	       portable way to fix the races.  This check is needed
