+++ /dev/null
-From: http://sisyphus.ru/srpm/Sisyphus/glibc/patches/10
-
-I added MUDFLAP_OPTIONS to sysdeps/generic/unsecvars.h.
-
-diff -Naur glibc-2.8-20080929.orig/argp/argp-help.c glibc-2.8-20080929/argp/argp-help.c
---- glibc-2.8-20080929.orig/argp/argp-help.c 2007-03-15 20:08:18.000000000 +0000
-+++ glibc-2.8-20080929/argp/argp-help.c 2008-10-15 00:30:49.000000000 +0000
-@@ -165,7 +165,7 @@
- static void
- fill_in_uparams (const struct argp_state *state)
- {
-- const char *var = getenv ("ARGP_HELP_FMT");
-+ const char *var = __secure_getenv ("ARGP_HELP_FMT");
-
- #define SKIPWS(p) do { while (isspace (*p)) p++; } while (0);
-
-diff -Naur glibc-2.8-20080929.orig/catgets/catgets.c glibc-2.8-20080929/catgets/catgets.c
---- glibc-2.8-20080929.orig/catgets/catgets.c 2002-05-15 03:46:42.000000000 +0000
-+++ glibc-2.8-20080929/catgets/catgets.c 2008-10-15 00:30:49.000000000 +0000
-@@ -50,7 +50,7 @@
- || (__libc_enable_secure && strchr (env_var, '/') != NULL))
- env_var = "C";
-
-- nlspath = getenv ("NLSPATH");
-+ nlspath = __secure_getenv ("NLSPATH");
- if (nlspath != NULL && *nlspath != '\0')
- {
- /* Append the system dependent directory. */
-diff -Naur glibc-2.8-20080929.orig/debug/pcprofile.c glibc-2.8-20080929/debug/pcprofile.c
---- glibc-2.8-20080929.orig/debug/pcprofile.c 2001-07-06 04:54:45.000000000 +0000
-+++ glibc-2.8-20080929/debug/pcprofile.c 2008-10-15 00:30:49.000000000 +0000
-@@ -38,7 +38,7 @@
- {
- /* See whether the environment variable `PCPROFILE_OUTPUT' is defined.
- If yes, it should name a FIFO. We open it and mark ourself as active. */
-- const char *outfile = getenv ("PCPROFILE_OUTPUT");
-+ const char *outfile = __secure_getenv ("PCPROFILE_OUTPUT");
-
- if (outfile != NULL && *outfile != '\0')
- {
-diff -Naur glibc-2.8-20080929.orig/debug/segfault.c glibc-2.8-20080929/debug/segfault.c
---- glibc-2.8-20080929.orig/debug/segfault.c 2007-08-22 06:52:12.000000000 +0000
-+++ glibc-2.8-20080929/debug/segfault.c 2008-10-15 00:30:49.000000000 +0000
-@@ -149,7 +149,7 @@
- install_handler (void)
- {
- struct sigaction sa;
-- const char *sigs = getenv ("SEGFAULT_SIGNALS");
-+ const char *sigs = __secure_getenv ("SEGFAULT_SIGNALS");
- const char *name;
-
- sa.sa_handler = (void *) catch_segfault;
-@@ -157,7 +157,7 @@
- sa.sa_flags = SA_RESTART;
-
- /* Maybe we are expected to use an alternative stack. */
-- if (getenv ("SEGFAULT_USE_ALTSTACK") != 0)
-+ if (__secure_getenv ("SEGFAULT_USE_ALTSTACK") != 0)
- {
- void *stack_mem = malloc (2 * SIGSTKSZ);
- struct sigaltstack ss;
-@@ -203,7 +203,7 @@
- }
-
- /* Preserve the output file name if there is any given. */
-- name = getenv ("SEGFAULT_OUTPUT_NAME");
-+ name = __secure_getenv ("SEGFAULT_OUTPUT_NAME");
- if (name != NULL && name[0] != '\0')
- {
- int ret = access (name, R_OK | W_OK);
-diff -Naur glibc-2.8-20080929.orig/elf/Versions glibc-2.8-20080929/elf/Versions
---- glibc-2.8-20080929.orig/elf/Versions 2008-03-08 05:42:26.000000000 +0000
-+++ glibc-2.8-20080929/elf/Versions 2008-10-15 00:30:49.000000000 +0000
-@@ -60,6 +60,8 @@
- _dl_make_stack_executable;
- # Only here for gdb while a better method is developed.
- _dl_debug_state;
-+ # For sanitizing environment.
-+ __libc_security_mask;
- # Pointer protection.
- __pointer_chk_guard;
- }
-diff -Naur glibc-2.8-20080929.orig/elf/dl-support.c glibc-2.8-20080929/elf/dl-support.c
---- glibc-2.8-20080929.orig/elf/dl-support.c 2007-06-20 03:18:16.000000000 +0000
-+++ glibc-2.8-20080929/elf/dl-support.c 2008-10-15 00:30:49.000000000 +0000
-@@ -163,6 +163,7 @@
- internal_function
- _dl_aux_init (ElfW(auxv_t) *av)
- {
-+ int security_mask = 0;
- int seen = 0;
- uid_t uid = 0;
- gid_t gid = 0;
-@@ -196,25 +197,27 @@
- break;
- #endif
- case AT_UID:
-+ if (seen & 1) break;
- uid ^= av->a_un.a_val;
- seen |= 1;
- break;
- case AT_EUID:
-+ if (seen & 2) break;
- uid ^= av->a_un.a_val;
- seen |= 2;
- break;
- case AT_GID:
-+ if (seen & 4) break;
- gid ^= av->a_un.a_val;
- seen |= 4;
- break;
- case AT_EGID:
-+ if (seen & 8) break;
- gid ^= av->a_un.a_val;
- seen |= 8;
- break;
- case AT_SECURE:
-- seen = -1;
-- __libc_enable_secure = av->a_un.a_val;
-- __libc_enable_secure_decided = 1;
-+ security_mask |= av->a_un.a_val != 0;
- break;
- # ifdef DL_PLATFORM_AUXV
- DL_PLATFORM_AUXV
-@@ -222,7 +225,9 @@
- }
- if (seen == 0xf)
- {
-- __libc_enable_secure = uid != 0 || gid != 0;
-+ security_mask |= ((uid != 0) << 1) | ((gid != 0) << 2);
-+ __libc_security_mask = security_mask;
-+ __libc_enable_secure = __libc_security_mask != 0;
- __libc_enable_secure_decided = 1;
- }
- }
-@@ -239,19 +244,19 @@
- if (!_dl_pagesize)
- _dl_pagesize = __getpagesize ();
-
-- _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
-+ _dl_verbose = *(__secure_getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
-
- /* Initialize the data structures for the search paths for shared
- objects. */
-- _dl_init_paths (getenv ("LD_LIBRARY_PATH"));
-+ _dl_init_paths (__secure_getenv ("LD_LIBRARY_PATH"));
-
-- _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0';
-+ _dl_lazy = *(__secure_getenv ("LD_BIND_NOW") ?: "") == '\0';
-
-- _dl_bind_not = *(getenv ("LD_BIND_NOT") ?: "") != '\0';
-+ _dl_bind_not = *(__secure_getenv ("LD_BIND_NOT") ?: "") != '\0';
-
-- _dl_dynamic_weak = *(getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
-+ _dl_dynamic_weak = *(__secure_getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
-
-- _dl_profile_output = getenv ("LD_PROFILE_OUTPUT");
-+ _dl_profile_output = __secure_getenv ("LD_PROFILE_OUTPUT");
- if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0')
- _dl_profile_output
- = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
-@@ -264,6 +269,8 @@
- EXTRA_UNSECURE_ENVVARS
- #endif
- ;
-+ static const char restricted_envvars[] =
-+ RESTRICTED_ENVVARS;
- const char *cp = unsecure_envvars;
-
- while (cp < unsecure_envvars + sizeof (unsecure_envvars))
-@@ -272,8 +279,31 @@
- cp = (const char *) __rawmemchr (cp, '\0') + 1;
- }
-
-- if (__access ("/etc/suid-debug", F_OK) != 0)
-- __unsetenv ("MALLOC_CHECK_");
-+ if (__libc_security_mask & 2)
-+ {
-+ static const char unsecure_uid_envvars[] =
-+ UNSECURE_UID_ENVVARS;
-+
-+ cp = unsecure_uid_envvars;
-+ while (cp < unsecure_uid_envvars + sizeof (unsecure_uid_envvars))
-+ {
-+ __unsetenv (cp);
-+ cp = (const char *) __rawmemchr (cp, '\0') + 1;
-+ }
-+ }
-+
-+ /* This loop is buggy: it will only check the first occurrence of each
-+ variable (but will correctly remove all in case of a match). This
-+ may be a problem if the list is later re-ordered or accessed by an
-+ application with something other than the glibc getenv(). */
-+ cp = restricted_envvars;
-+ while (cp < restricted_envvars + sizeof (restricted_envvars))
-+ {
-+ const char *value = getenv (cp);
-+ if (value && (value[0] == '.' || strchr(value, '/')))
-+ __unsetenv (cp);
-+ cp = (const char *) __rawmemchr (cp, '\0') + 1;
-+ }
- }
-
- #ifdef DL_PLATFORM_INIT
-diff -Naur glibc-2.8-20080929.orig/elf/dl-sysdep.c glibc-2.8-20080929/elf/dl-sysdep.c
---- glibc-2.8-20080929.orig/elf/dl-sysdep.c 2008-03-08 07:28:36.000000000 +0000
-+++ glibc-2.8-20080929/elf/dl-sysdep.c 2008-10-15 00:30:49.000000000 +0000
-@@ -54,8 +54,10 @@
- #ifdef NEED_DL_BASE_ADDR
- ElfW(Addr) _dl_base_addr;
- #endif
--int __libc_enable_secure attribute_relro = 0;
-+int __libc_enable_secure attribute_relro = 1;
- INTVARDEF(__libc_enable_secure)
-+int __libc_security_mask attribute_relro = 0x7fffffff;
-+INTVARDEF(__libc_security_mask)
- int __libc_multiple_libcs = 0; /* Defining this here avoids the inclusion
- of init-first. */
- /* This variable contains the lowest stack address ever used. */
-@@ -80,6 +82,10 @@
- # define DL_STACK_END(cookie) ((void *) (cookie))
- #endif
-
-+#ifdef HAVE_AUX_XID
-+#undef HAVE_AUX_XID
-+#endif
-+
- ElfW(Addr)
- _dl_sysdep_start (void **start_argptr,
- void (*dl_main) (const ElfW(Phdr) *phdr, ElfW(Word) phnum,
-@@ -89,19 +95,19 @@
- ElfW(Word) phnum = 0;
- ElfW(Addr) user_entry;
- ElfW(auxv_t) *av;
--#ifdef HAVE_AUX_SECURE
-+ int security_mask = 0;
-+#if 0
- # define set_seen(tag) (tag) /* Evaluate for the side effects. */
--# define set_seen_secure() ((void) 0)
- #else
- uid_t uid = 0;
- gid_t gid = 0;
- unsigned int seen = 0;
--# define set_seen_secure() (seen = -1)
- # ifdef HAVE_AUX_XID
- # define set_seen(tag) (tag) /* Evaluate for the side effects. */
- # else
- # define M(type) (1 << (type))
- # define set_seen(tag) seen |= M ((tag)->a_type)
-+# define is_seen(tag) seen & M ((tag)->a_type)
- # endif
- #endif
- #ifdef NEED_DL_SYSINFO
-@@ -135,21 +141,18 @@
- _dl_base_addr = av->a_un.a_val;
- break;
- #endif
--#ifndef HAVE_AUX_SECURE
- case AT_UID:
- case AT_EUID:
-+ if (is_seen (av)) break;
- uid ^= av->a_un.a_val;
- break;
- case AT_GID:
- case AT_EGID:
-+ if (is_seen (av)) break;
- gid ^= av->a_un.a_val;
- break;
--#endif
- case AT_SECURE:
--#ifndef HAVE_AUX_SECURE
-- seen = -1;
--#endif
-- INTUSE(__libc_enable_secure) = av->a_un.a_val;
-+ security_mask |= av->a_un.a_val != 0;
- break;
- case AT_PLATFORM:
- GLRO(dl_platform) = (void *) av->a_un.a_val;
-@@ -178,8 +181,6 @@
- #endif
- }
-
--#ifndef HAVE_AUX_SECURE
-- if (seen != -1)
- {
- /* Fill in the values we have not gotten from the kernel through the
- auxiliary vector. */
-@@ -191,12 +192,12 @@
- SEE (GID, gid, gid);
- SEE (EGID, gid, egid);
- # endif
--
-- /* If one of the two pairs of IDs does not match this is a setuid
-- or setgid run. */
-- INTUSE(__libc_enable_secure) = uid | gid;
- }
--#endif
-+ /* If one of the two pairs of IDs does not match
-+ this is a setuid or setgid run. */
-+ security_mask |= ((uid != 0) << 1) | ((gid != 0) << 2);
-+ INTUSE(__libc_security_mask) = security_mask;
-+ INTUSE(__libc_enable_secure) = security_mask != 0;
-
- #ifndef HAVE_AUX_PAGESIZE
- if (GLRO(dl_pagesize) == 0)
-diff -Naur glibc-2.8-20080929.orig/elf/enbl-secure.c glibc-2.8-20080929/elf/enbl-secure.c
---- glibc-2.8-20080929.orig/elf/enbl-secure.c 2005-12-14 08:46:07.000000000 +0000
-+++ glibc-2.8-20080929/elf/enbl-secure.c 2008-10-15 00:30:49.000000000 +0000
-@@ -27,11 +27,17 @@
- int __libc_enable_secure_decided;
- /* Safest assumption, if somehow the initializer isn't run. */
- int __libc_enable_secure = 1;
-+int __libc_security_mask = 0x7fffffff;
-
- void
- __libc_init_secure (void)
- {
- if (__libc_enable_secure_decided == 0)
-- __libc_enable_secure = (__geteuid () != __getuid ()
-- || __getegid () != __getgid ());
-+ {
-+ __libc_security_mask =
-+ ((__geteuid () != __getuid ()) << 1) |
-+ ((__getegid () != __getgid ()) << 2);
-+ __libc_enable_secure = __libc_security_mask != 0;
-+ __libc_security_mask |= __libc_enable_secure;
-+ }
- }
-diff -Naur glibc-2.8-20080929.orig/elf/rtld.c glibc-2.8-20080929/elf/rtld.c
---- glibc-2.8-20080929.orig/elf/rtld.c 2008-03-08 07:29:40.000000000 +0000
-+++ glibc-2.8-20080929/elf/rtld.c 2008-10-15 00:30:49.000000000 +0000
-@@ -2500,6 +2500,7 @@
- GLRO(dl_profile_output)
- = &"/var/tmp\0/var/profile"[INTUSE(__libc_enable_secure) ? 9 : 0];
-
-+ if (__builtin_expect (!INTUSE(__libc_enable_secure), 1))
- while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
- {
- size_t len = 0;
-@@ -2566,8 +2567,7 @@
- case 9:
- /* Test whether we want to see the content of the auxiliary
- array passed up from the kernel. */
-- if (!INTUSE(__libc_enable_secure)
-- && memcmp (envline, "SHOW_AUXV", 9) == 0)
-+ if (memcmp (envline, "SHOW_AUXV", 9) == 0)
- _dl_show_auxv ();
- break;
-
-@@ -2580,8 +2580,7 @@
-
- case 11:
- /* Path where the binary is found. */
-- if (!INTUSE(__libc_enable_secure)
-- && memcmp (envline, "ORIGIN_PATH", 11) == 0)
-+ if (memcmp (envline, "ORIGIN_PATH", 11) == 0)
- GLRO(dl_origin_path) = &envline[12];
- break;
-
-@@ -2600,8 +2599,7 @@
- break;
- }
-
-- if (!INTUSE(__libc_enable_secure)
-- && memcmp (envline, "DYNAMIC_WEAK", 12) == 0)
-+ if (memcmp (envline, "DYNAMIC_WEAK", 12) == 0)
- GLRO(dl_dynamic_weak) = 1;
- break;
-
-@@ -2611,8 +2609,7 @@
- #ifdef EXTRA_LD_ENVVARS_13
- EXTRA_LD_ENVVARS_13
- #endif
-- if (!INTUSE(__libc_enable_secure)
-- && memcmp (envline, "USE_LOAD_BIAS", 13) == 0)
-+ if (memcmp (envline, "USE_LOAD_BIAS", 13) == 0)
- {
- GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
- break;
-@@ -2624,8 +2621,7 @@
-
- case 14:
- /* Where to place the profiling data file. */
-- if (!INTUSE(__libc_enable_secure)
-- && memcmp (envline, "PROFILE_OUTPUT", 14) == 0
-+ if (memcmp (envline, "PROFILE_OUTPUT", 14) == 0
- && envline[15] != '\0')
- GLRO(dl_profile_output) = &envline[15];
- break;
-@@ -2669,16 +2665,39 @@
- EXTRA_UNSECURE_ENVVARS
- #endif
- UNSECURE_ENVVARS;
-+ static const char restricted_envvars[] =
-+ RESTRICTED_ENVVARS;
- const char *nextp;
-
-- nextp = unsecure_envvars;
-- do
-+ for (nextp = unsecure_envvars; *nextp != '\0';
-+ nextp = (char *) rawmemchr (nextp, '\0') + 1)
- {
- unsetenv (nextp);
-- /* We could use rawmemchr but this need not be fast. */
-- nextp = (char *) (strchr) (nextp, '\0') + 1;
- }
-- while (*nextp != '\0');
-+
-+ if (__builtin_expect (INTUSE(__libc_security_mask) & 2, 0))
-+ {
-+ static const char unsecure_uid_envvars[] =
-+ UNSECURE_UID_ENVVARS;
-+
-+ for (nextp = unsecure_uid_envvars; *nextp != '\0';
-+ nextp = (char *) rawmemchr (nextp, '\0') + 1)
-+ {
-+ unsetenv (nextp);
-+ }
-+ }
-+
-+ /* This loop is buggy: it will only check the first occurrence of each
-+ variable (but will correctly remove all in case of a match). This
-+ may be a problem if the list is later re-ordered or accessed by an
-+ application with something other than the glibc getenv(). */
-+ for (nextp = restricted_envvars; *nextp != '\0';
-+ nextp = (char *) rawmemchr (nextp, '\0') + 1)
-+ {
-+ const char *value = getenv (nextp);
-+ if (value && (value[0] == '.' || strchr(value, '/')))
-+ unsetenv (nextp);
-+ }
-
- if (__access ("/etc/suid-debug", F_OK) != 0)
- {
-diff -Naur glibc-2.8-20080929.orig/gmon/gmon.c glibc-2.8-20080929/gmon/gmon.c
---- glibc-2.8-20080929.orig/gmon/gmon.c 2008-03-19 06:43:31.000000000 +0000
-+++ glibc-2.8-20080929/gmon/gmon.c 2008-10-15 00:30:49.000000000 +0000
-@@ -326,8 +326,8 @@
- # define O_NOFOLLOW 0
- #endif
-
-- env = getenv ("GMON_OUT_PREFIX");
-- if (env != NULL && !__libc_enable_secure)
-+ env = __secure_getenv ("GMON_OUT_PREFIX");
-+ if (env != NULL)
- {
- size_t len = strlen (env);
- char buf[len + 20];
-diff -Naur glibc-2.8-20080929.orig/iconv/gconv_cache.c glibc-2.8-20080929/iconv/gconv_cache.c
---- glibc-2.8-20080929.orig/iconv/gconv_cache.c 2007-07-28 19:00:25.000000000 +0000
-+++ glibc-2.8-20080929/iconv/gconv_cache.c 2008-10-15 00:30:49.000000000 +0000
-@@ -55,7 +55,7 @@
-
- /* We cannot use the cache if the GCONV_PATH environment variable is
- set. */
-- __gconv_path_envvar = getenv ("GCONV_PATH");
-+ __gconv_path_envvar = __secure_getenv ("GCONV_PATH");
- if (__gconv_path_envvar != NULL)
- return -1;
-
-diff -Naur glibc-2.8-20080929.orig/include/unistd.h glibc-2.8-20080929/include/unistd.h
---- glibc-2.8-20080929.orig/include/unistd.h 2006-07-31 05:57:52.000000000 +0000
-+++ glibc-2.8-20080929/include/unistd.h 2008-10-15 00:30:49.000000000 +0000
-@@ -142,10 +142,12 @@
- and some functions contained in the C library ignore various
- environment variables that normally affect them. */
- extern int __libc_enable_secure attribute_relro;
-+extern int __libc_security_mask attribute_relro;
- extern int __libc_enable_secure_decided;
- #ifdef IS_IN_rtld
- /* XXX The #ifdef should go. */
- extern int __libc_enable_secure_internal attribute_relro attribute_hidden;
-+extern int __libc_security_mask_internal attribute_relro attribute_hidden;
- #endif
-
-
-diff -Naur glibc-2.8-20080929.orig/intl/dcigettext.c glibc-2.8-20080929/intl/dcigettext.c
---- glibc-2.8-20080929.orig/intl/dcigettext.c 2008-03-31 00:37:17.000000000 +0000
-+++ glibc-2.8-20080929/intl/dcigettext.c 2008-10-15 00:30:49.000000000 +0000
-@@ -1391,7 +1391,7 @@
-
- if (!output_charset_cached)
- {
-- const char *value = getenv ("OUTPUT_CHARSET");
-+ const char *value = __secure_getenv ("OUTPUT_CHARSET");
-
- if (value != NULL && value[0] != '\0')
- {
-diff -Naur glibc-2.8-20080929.orig/io/getdirname.c glibc-2.8-20080929/io/getdirname.c
---- glibc-2.8-20080929.orig/io/getdirname.c 2001-07-06 04:54:53.000000000 +0000
-+++ glibc-2.8-20080929/io/getdirname.c 2008-10-15 00:30:49.000000000 +0000
-@@ -31,7 +31,7 @@
- char *pwd;
- struct stat64 dotstat, pwdstat;
-
-- pwd = getenv ("PWD");
-+ pwd = __secure_getenv ("PWD");
- if (pwd != NULL
- && stat64 (".", &dotstat) == 0
- && stat64 (pwd, &pwdstat) == 0
-diff -Naur glibc-2.8-20080929.orig/libidn/toutf8.c glibc-2.8-20080929/libidn/toutf8.c
---- glibc-2.8-20080929.orig/libidn/toutf8.c 2005-02-22 01:25:30.000000000 +0000
-+++ glibc-2.8-20080929/libidn/toutf8.c 2008-10-15 00:30:49.000000000 +0000
-@@ -74,7 +74,7 @@
- const char *
- stringprep_locale_charset (void)
- {
-- const char *charset = getenv ("CHARSET"); /* flawfinder: ignore */
-+ const char *charset = __secure_getenv ("CHARSET");
-
- if (charset && *charset)
- return charset;
-diff -Naur glibc-2.8-20080929.orig/locale/newlocale.c glibc-2.8-20080929/locale/newlocale.c
---- glibc-2.8-20080929.orig/locale/newlocale.c 2008-03-31 00:37:03.000000000 +0000
-+++ glibc-2.8-20080929/locale/newlocale.c 2008-10-15 00:30:49.000000000 +0000
-@@ -104,7 +104,7 @@
- locale_path = NULL;
- locale_path_len = 0;
-
-- locpath_var = getenv ("LOCPATH");
-+ locpath_var = __secure_getenv ("LOCPATH");
- if (locpath_var != NULL && locpath_var[0] != '\0')
- {
- if (__argz_create_sep (locpath_var, ':',
-diff -Naur glibc-2.8-20080929.orig/locale/setlocale.c glibc-2.8-20080929/locale/setlocale.c
---- glibc-2.8-20080929.orig/locale/setlocale.c 2008-03-31 00:37:03.000000000 +0000
-+++ glibc-2.8-20080929/locale/setlocale.c 2008-10-15 00:30:49.000000000 +0000
-@@ -246,7 +246,7 @@
- locale_path = NULL;
- locale_path_len = 0;
-
-- locpath_var = getenv ("LOCPATH");
-+ locpath_var = __secure_getenv ("LOCPATH");
- if (locpath_var != NULL && locpath_var[0] != '\0')
- {
- if (__argz_create_sep (locpath_var, ':',
-diff -Naur glibc-2.8-20080929.orig/malloc/arena.c glibc-2.8-20080929/malloc/arena.c
---- glibc-2.8-20080929.orig/malloc/arena.c 2007-12-12 00:11:27.000000000 +0000
-+++ glibc-2.8-20080929/malloc/arena.c 2008-10-15 00:30:49.000000000 +0000
-@@ -494,10 +494,10 @@
- # undef NO_STARTER
- # endif
- #endif
-+ s = NULL;
- #ifdef _LIBC
- secure = __libc_enable_secure;
-- s = NULL;
-- if (__builtin_expect (_environ != NULL, 1))
-+ if (! secure && __builtin_expect (_environ != NULL, 1))
- {
- char **runp = _environ;
- char *envline;
-@@ -520,26 +520,20 @@
- s = &envline[7];
- break;
- case 8:
-- if (! secure)
-- {
- if (memcmp (envline, "TOP_PAD_", 8) == 0)
- mALLOPt(M_TOP_PAD, atoi(&envline[9]));
- else if (memcmp (envline, "PERTURB_", 8) == 0)
- mALLOPt(M_PERTURB, atoi(&envline[9]));
-- }
- break;
- case 9:
-- if (! secure && memcmp (envline, "MMAP_MAX_", 9) == 0)
-+ if (memcmp (envline, "MMAP_MAX_", 9) == 0)
- mALLOPt(M_MMAP_MAX, atoi(&envline[10]));
- break;
- case 15:
-- if (! secure)
-- {
- if (memcmp (envline, "TRIM_THRESHOLD_", 15) == 0)
- mALLOPt(M_TRIM_THRESHOLD, atoi(&envline[16]));
- else if (memcmp (envline, "MMAP_THRESHOLD_", 15) == 0)
- mALLOPt(M_MMAP_THRESHOLD, atoi(&envline[16]));
-- }
- break;
- default:
- break;
-diff -Naur glibc-2.8-20080929.orig/malloc/memusage.c glibc-2.8-20080929/malloc/memusage.c
---- glibc-2.8-20080929.orig/malloc/memusage.c 2006-12-08 17:13:24.000000000 +0000
-+++ glibc-2.8-20080929/malloc/memusage.c 2008-10-15 00:30:49.000000000 +0000
-@@ -214,7 +214,7 @@
- static void
- me (void)
- {
-- const char *env = getenv ("MEMUSAGE_PROG_NAME");
-+ const char *env = __secure_getenv ("MEMUSAGE_PROG_NAME");
- size_t prog_len = strlen (__progname);
-
- initialized = -1;
-@@ -250,7 +250,7 @@
- if (!start_sp)
- start_sp = GETSP ();
-
-- outname = getenv ("MEMUSAGE_OUTPUT");
-+ outname = __secure_getenv ("MEMUSAGE_OUTPUT");
- if (outname != NULL && outname[0] != '\0'
- && (access (outname, R_OK | W_OK) == 0 || errno == ENOENT))
- {
-@@ -273,7 +273,7 @@
- /* Determine the buffer size. We use the default if the
- environment variable is not present. */
- buffer_size = DEFAULT_BUFFER_SIZE;
-- if (getenv ("MEMUSAGE_BUFFER_SIZE") != NULL)
-+ if (__secure_getenv ("MEMUSAGE_BUFFER_SIZE") != NULL)
- {
- buffer_size = atoi (getenv ("MEMUSAGE_BUFFER_SIZE"));
- if (buffer_size == 0 || buffer_size > DEFAULT_BUFFER_SIZE)
-@@ -281,7 +281,7 @@
- }
-
- /* Possibly enable timer-based stack pointer retrieval. */
-- if (getenv ("MEMUSAGE_NO_TIMER") == NULL)
-+ if (__secure_getenv ("MEMUSAGE_NO_TIMER") == NULL)
- {
- struct sigaction act;
-
-@@ -302,7 +302,7 @@
- }
- }
-
-- if (!not_me && getenv ("MEMUSAGE_TRACE_MMAP") != NULL)
-+ if (!not_me && __secure_getenv ("MEMUSAGE_TRACE_MMAP") != NULL)
- trace_mmap = true;
- }
- }
-diff -Naur glibc-2.8-20080929.orig/nis/nis_defaults.c glibc-2.8-20080929/nis/nis_defaults.c
---- glibc-2.8-20080929.orig/nis/nis_defaults.c 2006-10-11 16:22:34.000000000 +0000
-+++ glibc-2.8-20080929/nis/nis_defaults.c 2008-10-15 00:30:49.000000000 +0000
-@@ -358,7 +358,7 @@
-
- char *cptr = defaults;
- if (cptr == NULL)
-- cptr = getenv ("NIS_DEFAULTS");
-+ cptr = __secure_getenv ("NIS_DEFAULTS");
-
- if (cptr != NULL)
- {
-@@ -385,7 +385,7 @@
-
- char *cptr = defaults;
- if (cptr == NULL)
-- cptr = getenv ("NIS_DEFAULTS");
-+ cptr = __secure_getenv ("NIS_DEFAULTS");
-
- if (cptr != NULL)
- {
-@@ -417,7 +417,7 @@
- return searchttl (defaults);
- }
-
-- cptr = getenv ("NIS_DEFAULTS");
-+ cptr = __secure_getenv ("NIS_DEFAULTS");
- if (cptr == NULL)
- return DEFAULT_TTL;
-
-@@ -445,7 +445,7 @@
- result = searchaccess (param, result);
- else
- {
-- cptr = getenv ("NIS_DEFAULTS");
-+ cptr = __secure_getenv ("NIS_DEFAULTS");
- if (cptr != NULL && strstr (cptr, "access=") != NULL)
- result = searchaccess (cptr, result);
- }
-diff -Naur glibc-2.8-20080929.orig/nis/nis_local_names.c glibc-2.8-20080929/nis/nis_local_names.c
---- glibc-2.8-20080929.orig/nis/nis_local_names.c 2006-04-07 06:52:01.000000000 +0000
-+++ glibc-2.8-20080929/nis/nis_local_names.c 2008-10-15 00:30:49.000000000 +0000
-@@ -30,7 +30,7 @@
-
- char *cptr;
- if (__nisgroup[0] == '\0'
-- && (cptr = getenv ("NIS_GROUP")) != NULL
-+ && (cptr = __secure_getenv ("NIS_GROUP")) != NULL
- && strlen (cptr) < NIS_MAXNAMELEN)
- {
- char *cp = stpcpy (__nisgroup, cptr);
-diff -Naur glibc-2.8-20080929.orig/nis/nis_subr.c glibc-2.8-20080929/nis/nis_subr.c
---- glibc-2.8-20080929.orig/nis/nis_subr.c 2007-07-28 20:43:36.000000000 +0000
-+++ glibc-2.8-20080929/nis/nis_subr.c 2008-10-15 00:30:49.000000000 +0000
-@@ -178,7 +178,7 @@
- }
-
- /* Get the search path, where we have to search "name" */
-- path = getenv ("NIS_PATH");
-+ path = __secure_getenv ("NIS_PATH");
- if (path == NULL)
- path = strdupa ("$");
- else
-diff -Naur glibc-2.8-20080929.orig/posix/execvp.c glibc-2.8-20080929/posix/execvp.c
---- glibc-2.8-20080929.orig/posix/execvp.c 2007-01-03 23:01:15.000000000 +0000
-+++ glibc-2.8-20080929/posix/execvp.c 2008-10-15 00:30:49.000000000 +0000
-@@ -90,7 +90,7 @@
- {
- size_t pathlen;
- size_t alloclen = 0;
-- char *path = getenv ("PATH");
-+ char *path = __secure_getenv ("PATH");
- if (path == NULL)
- {
- pathlen = confstr (_CS_PATH, (char *) NULL, 0);
-@@ -116,11 +116,11 @@
- if (path == NULL)
- {
- /* There is no `PATH' in the environment.
-- The default search path is the current directory
-- followed by the path `confstr' returns for `_CS_PATH'. */
-+ The default search path is what `confstr' returns
-+ for `_CS_PATH'. */
- path = name + pathlen + len + 1;
-- path[0] = ':';
-- (void) confstr (_CS_PATH, path + 1, pathlen);
-+ path[0] = '\0';
-+ (void) confstr (_CS_PATH, path, pathlen);
- }
-
- /* Copy the file name at the top. */
-diff -Naur glibc-2.8-20080929.orig/posix/glob.c glibc-2.8-20080929/posix/glob.c
---- glibc-2.8-20080929.orig/posix/glob.c 2007-10-15 04:59:03.000000000 +0000
-+++ glibc-2.8-20080929/posix/glob.c 2008-10-15 00:30:49.000000000 +0000
-@@ -557,7 +557,7 @@
- && (dirname[2] == '\0' || dirname[2] == '/')))
- {
- /* Look up home directory. */
-- const char *home_dir = getenv ("HOME");
-+ const char *home_dir = __secure_getenv ("HOME");
- # ifdef _AMIGA
- if (home_dir == NULL || home_dir[0] == '\0')
- home_dir = "SYS:";
-diff -Naur glibc-2.8-20080929.orig/posix/wordexp.c glibc-2.8-20080929/posix/wordexp.c
---- glibc-2.8-20080929.orig/posix/wordexp.c 2007-01-25 00:43:39.000000000 +0000
-+++ glibc-2.8-20080929/posix/wordexp.c 2008-10-15 00:30:49.000000000 +0000
-@@ -320,7 +320,7 @@
- results are unspecified. We do a lookup on the uid if
- HOME is unset. */
-
-- home = getenv ("HOME");
-+ home = __secure_getenv ("HOME");
- if (home != NULL)
- {
- *word = w_addstr (*word, word_length, max_length, home);
-@@ -1493,7 +1493,7 @@
- }
- }
- else
-- value = getenv (env);
-+ value = __secure_getenv (env);
-
- if (value == NULL && (flags & WRDE_UNDEF))
- {
-@@ -2262,7 +2262,7 @@
- /* Find out what the field separators are.
- * There are two types: whitespace and non-whitespace.
- */
-- ifs = getenv ("IFS");
-+ ifs = __secure_getenv ("IFS");
-
- if (ifs == NULL)
- /* IFS unset - use <space><tab><newline>. */
-diff -Naur glibc-2.8-20080929.orig/resolv/res_hconf.c glibc-2.8-20080929/resolv/res_hconf.c
---- glibc-2.8-20080929.orig/resolv/res_hconf.c 2007-11-23 03:03:31.000000000 +0000
-+++ glibc-2.8-20080929/resolv/res_hconf.c 2008-10-15 00:30:49.000000000 +0000
-@@ -304,7 +304,7 @@
-
- memset (&_res_hconf, '\0', sizeof (_res_hconf));
-
-- hconf_name = getenv (ENV_HOSTCONF);
-+ hconf_name = __secure_getenv (ENV_HOSTCONF);
- if (hconf_name == NULL)
- hconf_name = _PATH_HOSTCONF;
-
-@@ -323,23 +323,23 @@
- fclose (fp);
- }
-
-- envval = getenv (ENV_SPOOF);
-+ envval = __secure_getenv (ENV_SPOOF);
- if (envval)
- arg_spoof (ENV_SPOOF, 1, envval);
-
-- envval = getenv (ENV_MULTI);
-+ envval = __secure_getenv (ENV_MULTI);
- if (envval)
- arg_bool (ENV_MULTI, 1, envval, HCONF_FLAG_MULTI);
-
-- envval = getenv (ENV_REORDER);
-+ envval = __secure_getenv (ENV_REORDER);
- if (envval)
- arg_bool (ENV_REORDER, 1, envval, HCONF_FLAG_REORDER);
-
-- envval = getenv (ENV_TRIM_ADD);
-+ envval = __secure_getenv (ENV_TRIM_ADD);
- if (envval)
- arg_trimdomain_list (ENV_TRIM_ADD, 1, envval);
-
-- envval = getenv (ENV_TRIM_OVERR);
-+ envval = __secure_getenv (ENV_TRIM_OVERR);
- if (envval)
- {
- _res_hconf.num_trimdomains = 0;
-diff -Naur glibc-2.8-20080929.orig/resolv/res_init.c glibc-2.8-20080929/resolv/res_init.c
---- glibc-2.8-20080929.orig/resolv/res_init.c 2008-04-07 17:20:25.000000000 +0000
-+++ glibc-2.8-20080929/resolv/res_init.c 2008-10-15 00:30:49.000000000 +0000
-@@ -201,7 +201,7 @@
- #endif
-
- /* Allow user to override the local domain definition */
-- if ((cp = getenv("LOCALDOMAIN")) != NULL) {
-+ if ((cp = __secure_getenv("LOCALDOMAIN")) != NULL) {
- (void)strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
- statp->defdname[sizeof(statp->defdname) - 1] = '\0';
- haveenv++;
-@@ -470,7 +470,7 @@
- #endif /* !RFC1535 */
- }
-
-- if ((cp = getenv("RES_OPTIONS")) != NULL)
-+ if ((cp = __secure_getenv("RES_OPTIONS")) != NULL)
- res_setoptions(statp, cp, "env");
- statp->options |= RES_INIT;
- return (0);
-diff -Naur glibc-2.8-20080929.orig/resolv/res_query.c glibc-2.8-20080929/resolv/res_query.c
---- glibc-2.8-20080929.orig/resolv/res_query.c 2007-02-09 23:43:25.000000000 +0000
-+++ glibc-2.8-20080929/resolv/res_query.c 2008-10-15 00:30:49.000000000 +0000
-@@ -474,7 +474,7 @@
-
- if (statp->options & RES_NOALIASES)
- return (NULL);
-- file = getenv("HOSTALIASES");
-+ file = __secure_getenv("HOSTALIASES");
- if (file == NULL || (fp = fopen(file, "r")) == NULL)
- return (NULL);
- setbuf(fp, NULL);
-diff -Naur glibc-2.8-20080929.orig/stdlib/fmtmsg.c glibc-2.8-20080929/stdlib/fmtmsg.c
---- glibc-2.8-20080929.orig/stdlib/fmtmsg.c 2006-05-15 18:41:18.000000000 +0000
-+++ glibc-2.8-20080929/stdlib/fmtmsg.c 2008-10-15 00:30:49.000000000 +0000
-@@ -205,8 +205,8 @@
- static void
- init (void)
- {
-- const char *msgverb_var = getenv ("MSGVERB");
-- const char *sevlevel_var = getenv ("SEV_LEVEL");
-+ const char *msgverb_var = __secure_getenv ("MSGVERB");
-+ const char *sevlevel_var = __secure_getenv ("SEV_LEVEL");
-
- if (msgverb_var != NULL && msgverb_var[0] != '\0')
- {
-diff -Naur glibc-2.8-20080929.orig/sunrpc/rpc_svcout.c glibc-2.8-20080929/sunrpc/rpc_svcout.c
---- glibc-2.8-20080929.orig/sunrpc/rpc_svcout.c 2005-11-21 15:43:03.000000000 +0000
-+++ glibc-2.8-20080929/sunrpc/rpc_svcout.c 2008-10-15 00:30:49.000000000 +0000
-@@ -897,7 +897,7 @@
- f_print (fout, "\t\t_rpcpmstart = 1;\n");
- if (logflag)
- open_log_file (infile, "\t\t");
-- f_print (fout, "\t\tif ((netid = getenv(\"NLSPROVIDER\")) == NULL) {\n");
-+ f_print (fout, "\t\tif ((netid = __secure_getenv(\"NLSPROVIDER\")) == NULL) {\n");
- sprintf (_errbuf, "cannot get transport name");
- print_err_message ("\t\t\t");
- f_print (fout, "\t\t} else if ((nconf = getnetconfigent(netid)) == NULL) {\n");
-diff -Naur glibc-2.8-20080929.orig/sysdeps/generic/unsecvars.h glibc-2.8-20080929/sysdeps/generic/unsecvars.h
---- glibc-2.8-20080929.orig/sysdeps/generic/unsecvars.h 2006-10-11 16:24:05.000000000 +0000
-+++ glibc-2.8-20080929/sysdeps/generic/unsecvars.h 2008-10-15 00:32:09.000000000 +0000
-@@ -2,25 +2,87 @@
- all stuffed in a single string which means they have to be terminated
- with a '\0' explicitly. */
- #define UNSECURE_ENVVARS \
-- "GCONV_PATH\0" \
-- "GETCONF_DIR\0" \
-- "HOSTALIASES\0" \
-- "LD_AUDIT\0" \
-- "LD_DEBUG\0" \
-- "LD_DEBUG_OUTPUT\0" \
-- "LD_DYNAMIC_WEAK\0" \
-- "LD_LIBRARY_PATH\0" \
-- "LD_ORIGIN_PATH\0" \
-- "LD_PRELOAD\0" \
-- "LD_PROFILE\0" \
-- "LD_SHOW_AUXV\0" \
-- "LD_USE_LOAD_BIAS\0" \
-- "LOCALDOMAIN\0" \
-- "LOCPATH\0" \
-- "MALLOC_TRACE\0" \
-- "NIS_PATH\0" \
-- "NLSPATH\0" \
-- "RESOLV_HOST_CONF\0" \
-- "RES_OPTIONS\0" \
-- "TMPDIR\0" \
-+ "ARGP_HELP_FMT\0" \
-+ "DATEMSK\0" \
-+ "GCONV_PATH\0" \
-+ "GETCONF_DIR\0" \
-+ "GMON_OUT_PREFIX\0" \
-+ "HESIOD_CONFIG\0" \
-+ "HES_DOMAIN\0" \
-+ "HOSTALIASES\0" \
-+ "LD_AUDIT\0" \
-+ "LD_BIND_NOT\0" \
-+ "LD_BIND_NOW\0" \
-+ "LD_DEBUG\0" \
-+ "LD_DEBUG_OUTPUT\0" \
-+ "LD_DYNAMIC_WEAK\0" \
-+ "LD_HWCAP_MASK\0" \
-+ "LD_LIBRARY_PATH\0" \
-+ "LD_ORIGIN_PATH\0" \
-+ "LD_POINTER_GUARD\0" \
-+ "LD_PRELOAD\0" \
-+ "LD_PROFILE\0" \
-+ "LD_PROFILE_OUTPUT\0" \
-+ "LD_SHOW_AUXV\0" \
-+ "LD_TRACE_LOADED_OBJECTS\0" \
-+ "LD_TRACE_PRELINKING\0" \
-+ "LD_USE_LOAD_BIAS\0" \
-+ "LD_VERBOSE\0" \
-+ "LD_WARN\0" \
-+ "LOCALDOMAIN\0" \
-+ "LOCPATH\0" \
-+ "MALLOC_CHECK_\0" \
-+ "MALLOC_MMAP_MAX_\0" \
-+ "MALLOC_MMAP_THRESHOLD_\0" \
-+ "MALLOC_PERTURB_\0" \
-+ "MALLOC_TOP_PAD_\0" \
-+ "MALLOC_TRACE\0" \
-+ "MALLOC_TRIM_THRESHOLD_\0" \
-+ "MEMUSAGE_BUFFER_SIZE\0" \
-+ "MEMUSAGE_NO_TIMER\0" \
-+ "MEMUSAGE_OUTPUT\0" \
-+ "MEMUSAGE_PROG_NAME\0" \
-+ "MEMUSAGE_TRACE_MMAP\0" \
-+ "MSGVERB\0" \
-+ "MUDFLAP_OPTIONS\0" \
-+ "NIS_DEFAULTS\0" \
-+ "NIS_GROUP\0" \
-+ "NIS_PATH\0" \
-+ "NLSPATH\0" \
-+ "PCPROFILE_OUTPUT\0" \
-+ "POSIXLY_CORRECT\0" \
-+ "PWD\0" \
-+ "RESOLV_ADD_TRIM_DOMAINS\0" \
-+ "RESOLV_HOST_CONF\0" \
-+ "RESOLV_MULTI\0" \
-+ "RESOLV_OVERRIDE_TRIM_DOMAINS\0" \
-+ "RESOLV_REORDER\0" \
-+ "RESOLV_SPOOF_CHECK\0" \
-+ "RES_OPTIONS\0" \
-+ "SEGFAULT_OUTPUT_NAME\0" \
-+ "SEGFAULT_SIGNALS\0" \
-+ "SEGFAULT_USE_ALTSTACK\0" \
-+ "SEV_LEVEL\0" \
-+ "TZ\0" \
- "TZDIR\0"
-+
-+#define UNSECURE_UID_ENVVARS \
-+ "TMPDIR\0"
-+
-+#define RESTRICTED_ENVVARS \
-+ "LANG\0" \
-+ "LANGUAGE\0" \
-+ "LC_ADDRESS\0" \
-+ "LC_ALL\0" \
-+ "LC_COLLATE\0" \
-+ "LC_CTYPE\0" \
-+ "LC_IDENTIFICATION\0" \
-+ "LC_MEASUREMENT\0" \
-+ "LC_MESSAGES\0" \
-+ "LC_MONETARY\0" \
-+ "LC_NAME\0" \
-+ "LC_NUMERIC\0" \
-+ "LC_PAPER\0" \
-+ "LC_TELEPHONE\0" \
-+ "LC_TIME\0" \
-+ "LC_XXX\0"
-diff -Naur glibc-2.8-20080929.orig/sysdeps/posix/spawni.c glibc-2.8-20080929/sysdeps/posix/spawni.c
---- glibc-2.8-20080929.orig/sysdeps/posix/spawni.c 2006-06-04 22:16:05.000000000 +0000
-+++ glibc-2.8-20080929/sysdeps/posix/spawni.c 2008-10-15 00:30:49.000000000 +0000
-@@ -227,16 +227,15 @@
- }
-
- /* We have to search for FILE on the path. */
-- path = getenv ("PATH");
-+ path = __secure_getenv ("PATH");
- if (path == NULL)
- {
- /* There is no `PATH' in the environment.
-- The default search path is the current directory
-- followed by the path `confstr' returns for `_CS_PATH'. */
-+ The default search path is ehat `confstr' returns
-+ for `_CS_PATH'. */
- len = confstr (_CS_PATH, (char *) NULL, 0);
-- path = (char *) __alloca (1 + len);
-- path[0] = ':';
-- (void) confstr (_CS_PATH, path + 1, len);
-+ path = (char *) __alloca (len);
-+ (void) confstr (_CS_PATH, path, len);
- }
-
- len = strlen (file) + 1;
-diff -Naur glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/dl-librecon.h glibc-2.8-20080929/sysdeps/unix/sysv/linux/dl-librecon.h
---- glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/dl-librecon.h 2004-03-05 10:14:48.000000000 +0000
-+++ glibc-2.8-20080929/sysdeps/unix/sysv/linux/dl-librecon.h 2008-10-15 00:30:49.000000000 +0000
-@@ -53,7 +53,7 @@
-
- #define DL_OSVERSION_INIT \
- do { \
-- char *assume_kernel = getenv ("LD_ASSUME_KERNEL"); \
-+ char *assume_kernel = __secure_getenv ("LD_ASSUME_KERNEL"); \
- if (assume_kernel) \
- _dl_osversion_init (assume_kernel); \
- } while (0)
-diff -Naur glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/i386/dl-librecon.h glibc-2.8-20080929/sysdeps/unix/sysv/linux/i386/dl-librecon.h
---- glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/i386/dl-librecon.h 2004-10-14 01:53:55.000000000 +0000
-+++ glibc-2.8-20080929/sysdeps/unix/sysv/linux/i386/dl-librecon.h 2008-10-15 00:30:49.000000000 +0000
-@@ -57,6 +57,7 @@
- /* Extra unsecure variables. The names are all stuffed in a single
- string which means they have to be terminated with a '\0' explicitly. */
- #define EXTRA_UNSECURE_ENVVARS \
-+ "LD_LIBRARY_VERSION\0" \
- "LD_AOUT_LIBRARY_PATH\0" \
- "LD_AOUT_PRELOAD\0"
-
-diff -Naur glibc-2.8-20080929.orig/time/getdate.c glibc-2.8-20080929/time/getdate.c
---- glibc-2.8-20080929.orig/time/getdate.c 2007-12-10 01:40:43.000000000 +0000
-+++ glibc-2.8-20080929/time/getdate.c 2008-10-15 00:30:49.000000000 +0000
-@@ -115,7 +115,7 @@
- struct stat64 st;
- int mday_ok = 0;
-
-- datemsk = getenv ("DATEMSK");
-+ datemsk = __secure_getenv ("DATEMSK");
- if (datemsk == NULL || *datemsk == '\0')
- return 1;
-
-diff -Naur glibc-2.8-20080929.orig/time/tzfile.c glibc-2.8-20080929/time/tzfile.c
---- glibc-2.8-20080929.orig/time/tzfile.c 2007-11-06 01:03:43.000000000 +0000
-+++ glibc-2.8-20080929/time/tzfile.c 2008-10-15 00:30:49.000000000 +0000
-@@ -149,7 +149,7 @@
- unsigned int len, tzdir_len;
- char *new, *tmp;
-
-- tzdir = getenv ("TZDIR");
-+ tzdir = __secure_getenv ("TZDIR");
- if (tzdir == NULL || *tzdir == '\0')
- {
- tzdir = default_tzdir;
-diff -Naur glibc-2.8-20080929.orig/time/tzset.c glibc-2.8-20080929/time/tzset.c
---- glibc-2.8-20080929.orig/time/tzset.c 2008-03-19 06:43:34.000000000 +0000
-+++ glibc-2.8-20080929/time/tzset.c 2008-10-15 00:30:49.000000000 +0000
-@@ -383,8 +383,11 @@
- return;
- is_initialized = 1;
-
-- /* Examine the TZ environment variable. */
-- tz = getenv ("TZ");
-+ /* Examine the TZ environment variable. This doesn't really have to be
-+ a __secure_getenv() call as __tzfile_read() tries to only read files
-+ found under a trusted directory, but this helps reduce the amount of
-+ security-critical code. */
-+ tz = __secure_getenv ("TZ");
- if (tz == NULL && !explicit)
- /* Use the site-wide default. This is a file name which means we
- would not see changes to the file if we compare only the file