Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <e08b126d-fb6a-8b6b-676c-c5815da86f80@cs.ucla.edu>
Date: Wed, 11 Nov 2020 19:38:00 -0800
From: Paul Eggert <eggert@...ucla.edu>
To: Bruno Haible <bruno@...sp.org>
Cc: bug-gnulib@....org, Simon Josefsson <simon@...efsson.org>,
 Pádraig Brady <P@...igBrady.com>, musl@...ts.openwall.com
Subject: Re: parse-datetime test failure

On 11/11/20 8:20 AM, Bruno Haible wrote:
> It works fine on Alpine Linux 3.7 (32-bit, 64-bit) and 3.9 (64-bit).
> 
> On Alpine Linux 3.10 and 3.12 (64-bit) it fails:
> ../../gltests/test-parse-datetime.c:448: assertion 'result.tv_sec == 1 * 60 * 60 + 2 * 60 + 3 && result.tv_nsec == 123456789' failed
> Aborted
> 
> So, to me it looks like a regression between Alpine Linux 3.9 and 3.10.

It's arguably a bug in the test case, since Alpine uses musl libc which does not 
support time zone abbreviations longer than 6 bytes, whereas the test case uses 
an time zone abbreviation of 2000 bytes (to test a bug in an old Gnulib version 
when running on GNU/Linux). POSIX does not define behavior if you go over the limit.

I worked around the problem by changing the test case to not go over the limit 
as determined by sysconf (_SC_TZNAME_MAX), in the first attached patch. Plus I 
refactored and/or slightly improved the Gnulib overflow checking while I was in 
the neighborhood (last two attached patches).

Arguably this is a quality-of-implementation issue here, since Alpine and/or 
musl goes beserk with long timezone abbreviations whereas every other 
implementation I know of either works or silently substitutes localtime or UTC 
(which is good enough for this test case). But I'll leave that issue to the 
Alpine and/or musl libc folks.

I'll cc this to the musl bug reporting list. Although the Gnulib test failure 
has been fixed, it may be the symptom of a more-severe bug in musl. For those 
new to the problem, this thread starts here:

https://lists.gnu.org/r/bug-gnulib/2020-11/msg00039.html

View attachment "0001-parse-datetime-tests-port-to-Alpine-Linux-3.12.1.patch" of type "text/x-patch" (2760 bytes)

View attachment "0002-parse-datetime-streamline-overflow-checking.patch" of type "text/x-patch" (7200 bytes)

View attachment "0003-time_rz-simplify-CVE-2017-7476-fix.patch" of type "text/x-patch" (2635 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.