Thread: Re: Buffer overflow in zic

Evgeniy Gorbanyov <gorbanyoves@basealt.ru> writes:
> Ifyou compilezicwithASAN,you cangetthe following(notethiswill 
> delete/etc/localtime):
> |$ sudo ./zic -l fff

zic is not our code.  Please take this up with the upstream IANA
list tz@iana.org.  (They might want to see a reproducer against
their current code ... we're a bit behind on syncing that.)

https://www.iana.org/time-zones

            regards, tom lane

Bug fixed in 2025b:
https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/6JVHNHLB6I2WAYTQ75L6KEPEQHFXAJK3/

Mailing list:
https://lists.iana.org/hyperkitty/list/tz@iana.org/thread/7MKA4UXVUUGXXMDCTPQ5VOLD4KKN3LQR/

06.02.2025 21:00, Tom Lane пишет:
> Evgeniy Gorbanyov <gorbanyoves@basealt.ru> writes:
>> Ifyou compilezicwithASAN,you cangetthe following(notethiswill
>> delete/etc/localtime):
>> |$ sudo ./zic -l fff
> zic is not our code.  Please take this up with the upstream IANA
> list tz@iana.org.  (They might want to see a reproducer against
> their current code ... we're a bit behind on syncing that.)
>
> https://www.iana.org/time-zones
>
>             regards, tom lane

=?UTF-8?B?0JXQstCz0LXQvdC40Lkg0JPQvtGA0LHQsNC90LXQsg==?= <gorbanyoves@basealt.ru> writes:
> Bug fixed in 2025b:
> https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/6JVHNHLB6I2WAYTQ75L6KEPEQHFXAJK3/

We'll get around to syncing to tzcode 2025b or later at some point.
This particular issue does not strike me as a reason for urgency,
though.  We do not install our version of zic, nor invoke it with -l,
so the bug is really irrelevant to us.

            regards, tom lane