Make time zone file parser more robust [BZ #17715]

1 files changed, 12 insertions, 6 deletions

diff --git a/NEWS b/NEWS
index a628b5a..6408bed 100644
--- a/NEWS
+++ b/NEWS
@@ -11,12 +11,12 @@ Version 2.22
 
   4719, 6792, 13064, 14094, 14841, 14906, 15319, 15467, 15790, 15969, 16351,
   16512, 16560, 16783, 16850, 17090, 17195, 17269, 17523, 17542, 17569,
-  17588, 17596, 17620, 17621, 17628, 17631, 17711, 17776, 17779, 17792,
-  17836, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965, 17967,
-  17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020, 18029,
-  18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047, 18068,
-  18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185, 18197,
-  18206, 18210, 18211, 18247, 18287.
+  17588, 17596, 17620, 17621, 17628, 17631, 17711, 17715, 17776, 17779,
+  17792, 17836, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965,
+  17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020,
+  18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047,
+  18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185,
+  18197, 18206, 18210, 18211, 18247, 18287.
 
 * Cache information can be queried via sysconf() function on s390 e.g. with
   _SC_LEVEL1_ICACHE_SIZE as argument.
@@ -28,6 +28,12 @@ Version 2.22
   potentially arbitrary code execution, using crafted, but syntactically
   valid DNS responses.  (CVE-2015-1781)
 
+* The time zone file parser has been made more robust against crafted time
+  zone files, avoiding heap buffer overflows related to the processing of
+  the tzh_ttisstdcnt and tzh_ttisgmtcnt fields, and a stack overflow due to
+  large time zone data files.  Overly long time zone specifiers in the TZ
+  variable no longer result in stack overflows and crashes.
+
 * A powerpc and powerpc64 optimization for TLS, similar to TLS descriptors
   for LD and GD on x86 and x86-64, has been implemented.  You will need
   binutils-2.24 or later to enable this optimization.