Bug#1104681: sudo: tz_is_safe relies on tzdata being available at build-time
Chris Hofstaedtler
zeha at debian.org
Sun May 4 16:03:05 BST 2025
Source: sudo
Version: 1.9.16p2-1
Tags: path
User: reproducible-builds at lists.alioth.debian.org
Usertag: environment
X-Debbugs-CC: reproducible-builds at lists.alioth.debian.org
Hi,
sudo's env "plugin" has a function called tz_is_safe, which appears
to check if a set TZ envvar is really a valid timezone. To do that,
it looks into the zoneinfo database. The path to the zoneinfo
database is detected at *build* time, _if_ the zoneinfo database is
available.
Code in tz_is_safe looks like this:
#ifdef _PATH_ZONEINFO
if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
debug_return_bool(false);
#else
/* Assume the worst. */
debug_return_bool(false);
#endif
_PATH_ZONEINFO is filled by configure, specifically the SUDO_TZDIR
macro. It tries to find a "zoneinfo" directory in one of /usr/share
/usr/share/lib /usr/lib /etc. If none is found, _PATH_ZONEINFO is
unset.
builds of sudo done on the buildds have the "tzdata" package
available in the chroot. Thus the tz_is_safe code works.
However, tzdata is not guaranteed to be available, without sudo
actually Build-Depend-ing on it. Also, without the Build-Depends:,
tzdata is not recorded in the buildinfo file. This causes sudo to be
not reproducible, as tzdata does not get installed in rebuilderd, if
it is not listed in the buildinfo file.
TL;DR: please add Build-Depends: tzdata.
Thanks,
Chris
More information about the Reproducible-builds
mailing list