109421 – year 2100 bug for X.509 authentication

Bug 109421 - year 2100 bug for X.509 authentication

Summary: year 2100 bug for X.509 authentication

Status:	NEW

Alias:	None

Product:	Other
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	other_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-12-15 16:47 UTC by Tommaso Schiavinotto
Modified:	2015-12-15 17:18 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.3.2
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Tommaso Schiavinotto 2015-12-15 16:47:09 UTC

Referring to commit cc25b994acfbc901429da682d0f73c190e960206 that
solved the CVE-2015-5327 issue.

There is a problem for year 2100, according to the following code:

        if (mon == 2) {
		if (year % 4 == 0) {
			mon_len = 29;
			if (year % 100 == 0) {
				year /= 100;
				if (year % 4 != 0)
					mon_len = 28;
			}
		}
	}

	if (day < 1 || day > mon_len ||
	    hour > 23 ||
	    min > 59 ||
	    sec > 59)
		goto invalid_time;

	*_t = mktime64(year, mon, day, hour, min, sec);

after checking if the year is divisible by 100, the code modifies the 'year' variable value dividing by 100, the same variable is used then on the mktime call going to create a completely wrong timestamp (for year 2100 the timestamp will correspond to year 21).

Credits: the bug was actually discovered by Matt Johnson

Comment 1 Matt Johnson 2015-12-15 17:18:26 UTC

Thanks Tommaso for filing this.

The recommended fix would be to replace:

if (year % 100 == 0) {
	year /= 100;
	if (year % 4 != 0)

with this:


if (year % 100 == 0) {
	if (year % 400 != 0)

Note You need to log in before you can comment on or make changes to this bug.