[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gettext] intl: Proof against invalid offset/length

From: Daiki Ueno
Subject: Re: [bug-gettext] intl: Proof against invalid offset/length
Date: Wed, 11 Mar 2015 16:31:59 +0900
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)

Mike Frysinger <address@hidden> writes:

>> What strong technical reasons do you have for propsing these additional
>> checks?
> i thought you could control things via $TEXTDOMAIN/$TEXTDOMAINDIR, but it 
> looks 
> like just `bash` and `gettext` respect those ?  so if you have a shell script 
> that either directly supports translated messages (e.g. bash's $"..."), or 
> indirectly (e.g. manually calling `gettext`), and it doesn't lock down the 
> TEXTDOMAINDIR envvar properly, you could get them to load untrusted data and 
> crash due to the omitted range checks in glibc ?

bindtextdomain is the only place to configure the location, and it
seems to be the design:

However, I too observed a few programs which use the location obtained
from environment variable.  Perhaps it would be nice to suggest using
the fixed location in the documentation.

Daiki Ueno

reply via email to

[Prev in Thread] Current Thread [Next in Thread]