CVSROOT: /cvs Module name: src Changes by: [email protected] 2022/09/21 09:57:49
Modified files:
lib/libc/time : localtime.c tzset.3
Log message:
tzset: ignore TZ if it contains an absolute path or issetugid().
Reading time zone files from user-controlled paths can result in
pledge(2) or unveil(2) violations. We also ignore files that contain
a '.' character to avoid paths containing ".." or hidden files.
Work with and OK deraadt@
