Bug 109421

Summary: year 2100 bug for X.509 authentication
Product: Other Reporter: Tommaso Schiavinotto (tommaso.schiavinotto)
Component: OtherAssignee: other_other
Status: NEW ---    
Severity: normal CC: mj1856
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.3.2 Subsystem:
Regression: No Bisected commit-id:

Description Tommaso Schiavinotto 2015-12-15 16:47:09 UTC 
Referring to commit cc25b994acfbc901429da682d0f73c190e960206 that
solved the CVE-2015-5327 issue.

There is a problem for year 2100, according to the following code:

        if (mon == 2) {
		if (year % 4 == 0) {
			mon_len = 29;
			if (year % 100 == 0) {
				year /= 100;
				if (year % 4 != 0)
					mon_len = 28;
			}
		}
	}

	if (day < 1 || day > mon_len ||
	    hour > 23 ||
	    min > 59 ||
	    sec > 59)
		goto invalid_time;

	*_t = mktime64(year, mon, day, hour, min, sec);

after checking if the year is divisible by 100, the code modifies the 'year' variable value dividing by 100, the same variable is used then on the mktime call going to create a completely wrong timestamp (for year 2100 the timestamp will correspond to year 21).

Credits: the bug was actually discovered by Matt Johnson
Comment 1 Matt Johnson 2015-12-15 17:18:26 UTC 
Thanks Tommaso for filing this.

The recommended fix would be to replace:

if (year % 100 == 0) {
	year /= 100;
	if (year % 4 != 0)

with this:


if (year % 100 == 0) {
	if (year % 400 != 0)