libostree: Add missing checks for invalid timestamps

g_date_time_new_from_unix_utc() will not always return a valid GDateTime
— if the input timestamp is too big, GDateTime cannot represent it, and
the constructor returns NULL.

Add some missing checks for these situations. We don’t ever expect
timestamps to be this big, but they could be as a result of corruption
or a malicious repository.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #825
Approved by: cgwalters

diff --git a/src/libostree/ostree-gpg-verify-result.c b/src/libostree/ostree-gpg-verify-result.c
index 73fbfeedf8e85d2bf622f29ea3c506d7dc3ddc24..cd709b7c41199451da3992208fc7a40c58840e22 100644 (file)
--- a/src/libostree/ostree-gpg-verify-result.c
+++ b/src/libostree/ostree-gpg-verify-result.c
@@ -562,6 +562,14 @@ ostree_gpg_verify_result_describe_variant (GVariant *variant,
   key_id = (len > 16) ? fingerprint + len - 16 : fingerprint;
 
   date_time_utc = g_date_time_new_from_unix_utc (timestamp);
+  if (date_time_utc == NULL)
+    {
+      g_string_append_printf (output_buffer,
+                              "Can't check signature: timestamp %" G_GINT64_FORMAT " is invalid\n",
+                              timestamp);
+      return;
+    }
+
   date_time_local = g_date_time_to_local (date_time_utc);
   formatted_date_time = g_date_time_format (date_time_local, "%c");
 
@@ -606,6 +614,14 @@ ostree_gpg_verify_result_describe_variant (GVariant *variant,
   if (exp_timestamp > 0)
     {
       date_time_utc = g_date_time_new_from_unix_utc (exp_timestamp);
+      if (date_time_utc == NULL)
+        {
+          g_string_append_printf (output_buffer,
+                                  "Signature expiry timestamp (%" G_GINT64_FORMAT ") is invalid\n",
+                                  exp_timestamp);
+          return;
+        }
+
       date_time_local = g_date_time_to_local (date_time_utc);
       formatted_date_time = g_date_time_format (date_time_local, "%c");
 

diff --git a/src/libostree/ostree-sysroot-upgrader.c b/src/libostree/ostree-sysroot-upgrader.c
index 4e7c8bf38ad5095e0871d225321b850cc79ca171..11d9706cf97b13f433fd942a5e4c20067b5a7ac0 100644 (file)
--- a/src/libostree/ostree-sysroot-upgrader.c
+++ b/src/libostree/ostree-sysroot-upgrader.c
@@ -470,8 +470,15 @@ ostree_sysroot_upgrader_check_timestamps (OstreeRepo     *repo,
       g_autofree char *old_ts_str = NULL;
       g_autofree char *new_ts_str = NULL;
 
-      g_assert (old_ts);
-      g_assert (new_ts);
+      if (old_ts == NULL || new_ts == NULL)
+        {
+          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                       "Upgrade target revision '%s' timestamp (%" G_GINT64_FORMAT ") or current revision '%s' timestamp (%" G_GINT64_FORMAT ") is invalid",
+                       to_rev, ostree_commit_get_timestamp (new_commit),
+                       from_rev, ostree_commit_get_timestamp (old_commit));
+          goto out;
+        }
+
       old_ts_str = g_date_time_format (old_ts, "%c");
       new_ts_str = g_date_time_format (new_ts, "%c");
       g_date_time_unref (old_ts);

diff --git a/src/ostree/ot-remote-cookie-util.c b/src/ostree/ot-remote-cookie-util.c
index a96038aa74c3f70fc4038c7f421a2c2cc83cab72..e3ca9eac26638df4775f1a6704a3e26ce4dabedc 100644 (file)
--- a/src/ostree/ot-remote-cookie-util.c
+++ b/src/ostree/ot-remote-cookie-util.c
@@ -298,14 +298,18 @@ ot_list_cookies_at (int dfd, const char *jar_path, GError **error)
   while (ot_parse_cookies_next (parser))
     {
       g_autoptr(GDateTime) expires = g_date_time_new_from_unix_utc (parser->expiration);
-      g_autofree char *expires_str = g_date_time_format (expires, "%Y-%m-%d %H:%M:%S +0000");
+      g_autofree char *expires_str = NULL;
+
+      if (expires != NULL)
+        expires_str = g_date_time_format (expires, "%Y-%m-%d %H:%M:%S +0000");
 
       g_print ("--\n");
       g_print ("Domain: %s\n", parser->domain);
       g_print ("Path: %s\n", parser->path);
       g_print ("Name: %s\n", parser->name);
       g_print ("Secure: %s\n", parser->secure);
-      g_print ("Expires: %s\n", expires_str);
+      if (expires_str != NULL)
+        g_print ("Expires: %s\n", expires_str);
       g_print ("Value: %s\n", parser->value);
     }
 #else