Austin Group Defect Tracker

Aardvark Mark IV


Viewing Issue Simple Details Jump to Notes ] Issue History ] Print ]
ID Category Severity Type Date Submitted Last Update
0000497 [1003.1(2008)/Issue 7] System Interfaces Editorial Clarification Requested 2011-09-29 17:06 2019-06-10 08:55
Reporter jking View Status public  
Assigned To ajosey
Priority normal Resolution Accepted As Marked  
Status Closed  
Name Rob King
Organization
User Reference
Section catopen
Page Number 639
Line Number 21682-21686
Interp Status ---
Final Accepted Text See Note: 0000983
Summary 0000497: catopen has undefined semantics with regards to NLSPATH
Description The catopen interface has the following definition with regards to NLSPATH:

 If name contains a '/' , then name specifies a complete name for the message catalog. Otherwise, the environment variable NLSPATH is used with name substituted for the %N conversion specification (see XBD Environment Variables ). If NLSPATH exists in the environment when the process starts, then if the process has appropriate privileges, the behavior of catopen() is undefined.

This would seem to imply that having the NLSPATH environment variable specified in the environment makes the usage of catopen undefined.
Desired Action A clarification as to how catopen interacts with NLSPATH.
Tags tc2-2008
Attached Files

- Relationships
related to 0000645Closedajosey catopen() uses the ambiguous phrase 'complete name' 

-  Notes
(0000977)
Don Cragun (manager)
2011-09-30 17:16

The third paragraph of the Application Usage section already notes that there are
no guidelines in the standard for the location of message catalogs.
To be sure that messages produced by an application running with
"appropriate privileges" (such as root privileges) can't be used by a
hacker setting a strange value for NLSPATH in the environment to
confuse a system administrator,
such applications are required to use absolute pathnames to get defined
behavior when using catopen() to open a message catalog.
(0000983)
nick (manager)
2011-10-06 16:13
edited on: 2011-10-06 16:18

Add a new paragraph to APPLICATION USAGE (after line 21734):


To be sure that messages produced by an application running with
"appropriate privileges" cannot be used by a
attacker setting an unexpected value for NLSPATH in the environment to
confuse a system administrator, such applications should use
pathnames containing a '/' to get defined behavior when using catopen()
to open a message catalog.


Also at line 21685 change

"...on page 173). If NLSPATH exists in the environment ..."

to

"on page 173); if NLSPATH exists in the environment..."


- Issue History
Date Modified Username Field Change
2011-09-29 17:06 jking New Issue
2011-09-29 17:06 jking Status New => Under Review
2011-09-29 17:06 jking Assigned To => ajosey
2011-09-29 17:06 jking Name => Rob King
2011-09-29 17:06 jking Section => catopen
2011-09-29 17:06 jking Page Number => unknown
2011-09-29 17:06 jking Line Number => unknown
2011-09-29 18:39 jking Issue Monitored: jking
2011-09-30 17:16 Don Cragun Page Number unknown => 639
2011-09-30 17:16 Don Cragun Line Number unknown => 21682-21686
2011-09-30 17:16 Don Cragun Interp Status => ---
2011-09-30 17:16 Don Cragun Note Added: 0000977
2011-10-06 16:13 nick Note Added: 0000983
2011-10-06 16:16 nick Final Accepted Text => See Note: 0000983
2011-10-06 16:16 nick Status Under Review => Resolution Proposed
2011-10-06 16:16 nick Resolution Open => Accepted As Marked
2011-10-06 16:18 nick Note Edited: 0000983
2011-10-06 16:19 nick Tag Attached: tc2-2008
2011-10-06 16:21 nick Status Resolution Proposed => Resolved
2013-01-18 16:06 jim_pugsley Relationship added related to 0000645
2019-06-10 08:55 agadmin Status Resolved => Closed


Mantis 1.1.6[^]
Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker