This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] tzset robustness [BZ#17715]
- From: Florian Weimer <fweimer at redhat dot com>
- To: Paul Eggert <eggert at cs dot ucla dot edu>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Thu, 22 Jan 2015 10:54:57 +0100
- Subject: Re: [PATCH] tzset robustness [BZ#17715]
- Authentication-results: sourceware.org; auth=none
- References: <54B6E99E dot 4030109 at redhat dot com> <20150115133911 dot GR4574 at brightrain dot aerifal dot cx> <54B7C493 dot 5020506 at redhat dot com> <20150115140208 dot GS4574 at brightrain dot aerifal dot cx> <54B9742E dot 3060301 at redhat dot com> <54BE5589 dot 3080802 at redhat dot com> <20150120151434 dot GG4574 at brightrain dot aerifal dot cx> <54BE761D dot 5000808 at redhat dot com> <54BE7BD5 dot 9080405 at cs dot ucla dot edu>
On 01/20/2015 05:01 PM, Paul Eggert wrote:
> Florian Weimer wrote:
>> This seems to suggest that the glibc behavior is non-compliant.
>
> No, because POSIX reserves the environment variable name TZDIR for the
> implementation (just as it reserves all upper-case-only names).
Hmm. Does that mean that scrubbing TZ and TZDIR in AT_SECURE mode would
also be compliant?
Anyway, this part of the discussion is only about potential future patch
I might submit. What about the last iteration of the existing parser fixes?
<https://sourceware.org/ml/libc-alpha/2015-01/msg00360.html>
Okay to commit?
--
Florian Weimer / Red Hat Product Security