CVE-2009-5029

Vulnerability

Integer overflow in the __tzfile_read function in glibc before version 2.15 allows a crafted timezone (TZ) file to cause a heap overflow. The overflow occurs when computing the total size for memory allocation, specifically when tzh_charcnt is very large, leading to a wrap-around to a small value [1][2]. This affects all glibc versions prior to 2.15. The vulnerability is reachable when an application processes a user-supplied timezone file, as demonstrated with vsftpd [description].

Exploitation

An attacker needs to supply a malicious timezone file to an application that uses glibc's timezone handling. The attacker must have the ability to control the TZ environment variable or provide a file path that is read by __tzfile_read. In the vsftpd scenario, the attacker can upload a crafted file that is then processed. The integer overflow leads to a heap buffer overflow when copying data into the undersized buffer [1][2]. No special privileges are required beyond the ability to provide the file.

Impact

Successful exploitation can cause a denial of service (crash) and potentially arbitrary code execution. The heap corruption may allow an attacker to overwrite critical data structures, leading to control of the program flow. The impact is context-dependent; the original discoverer noted that making a decent exploit is difficult [1], but later analysis confirmed the possibility of code execution [2].

Mitigation

The vulnerability is fixed in glibc version 2.15, released in 2012 [2]. Users should update to glibc 2.15 or later. For systems that cannot be updated, avoid processing untrusted timezone files. The fix includes checks to prevent integer overflow in the computation of total_size and related values [2][3]. No workaround is available other than patching.