[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gettext] intl: Proof against invalid offset/length

From: Daiki Ueno
Subject: Re: [bug-gettext] intl: Proof against invalid offset/length
Date: Sat, 21 Mar 2015 12:17:01 +0900
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)

Florian Weimer <address@hidden> writes:

> The patch will use getauxval(AT_SECURE) or __libc_enable_secure (or
> issetuugid on other systems, but which I cannot test).  It is not going
> to be very portable.

I see (though I'm a bit confused that you removed the use of
__libc_enable_secure in CVE-2014-0475).  Can't you use secure_getenv,
which Gnulib provides a replacement, compare the result with
the normal getenv, and apply the pathname check if needed?

Daiki Ueno

reply via email to

[Prev in Thread] Current Thread [Next in Thread]