----- Original Message ----- > Hi Andrew, > > No, I'm NOT against to fix this "potential" risk at all. Just tried > to > point out that this > might not be an "immediate" breach. >
Oh, I know. Just might be nice to get the patch in after four years :-) > It was a mistake to drop the list. > No problem. I don't want to post a mail publicly if it was meant to be private. > -Sherman > > On 08/01/2012 01:11 PM, Andrew Hughes wrote: > > ----- Original Message ----- > >> On 08/01/2012 06:52 AM, Andrew Hughes wrote: > >> > >> > >> > >> Also if you read the old mails then you'll see that we were > >> scratching > >> our heads as to an example that would demonstrate the original > >> issue. > >> I > >> suspect it may have been something that someone spotted rather > >> than > >> someone running with a locale of this length. Well, the locale can > >> be > >> set be an environment variable, so it could potentially > >> be anything of any length... > >> > >> The Debian bug posted above has an example, though I couldn't > >> replicate it. > >> The spec says > >> > >> " If the value of any of these environment variable searches > >> yields a > >> locale that is not supported (and non-null), setlocale () shall > >> return a null pointer and the locale of the process shall not be > >> changed..." > >> > >> So basically setLocale() should not return whatever you set in > >> your > >> corresponding environment variable, it only > >> returns if such a "supported"/installed locale exists. I doubt > >> there > >> is a such a locale anywhere on a real platform. > >> But in theory that could happen, if you try to config a locale > >> with > >> name> 64 and successfully install it. > >> > >> > >> -Sherman > >> > >> > >> > > I still don't see any reason not to just close the hole. AFAICS, > > it's > > also feasibly possible for a variant to appear in the future that > > takes > > the length over 63 characters. > > > > Any reason you didn't reply on list? > > > > Thanks, > > -- Andrew :) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) PGP Key: 248BDC07 (https://keys.indymedia.org/) Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
