This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: libintl: no way to use private message catalogs (resend)
Ulrich Drepper writes:
> Allowing anything but the standard places (or those allowed by a
> call to bindtextdomain) is a security problem.
The security issue is already handled; namely in setuid/setgid
processes the absolute pathnames inside LANGUAGE will be ignored. Do
you see any other security issue?
In a process where libc_enable_secure == false, the user could achieve
the modified behaviour of gettext() by LD_PRELOADing a modified
compiled libc. Therefore you are not weakening security if you admit
the patch in libc.
Bruno