Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Sep 2017 20:08:26 -0400
From: Rich Felker <>
Subject: Re: musl's asctime catches Python bug

On Mon, Sep 04, 2017 at 07:27:08PM -0400, wrote:
> >I've been working through the Python test suite (2.7.13) on musl
> >(1.1.16). There were a couple over-zealous tests involving errno,
> >and locale tests that I'd expect to fail, but one set of failures
> >I haven't yet been able to rule out as a musl bug.
> There was another bug that I didn't want to mention until Python
> security had a chance to respond: undefined behavior in their
> asctime()/ctime() wrappers for year > 9999, found by virtue of
> musl's use of a_crash to highlight the problem.
> The public discussion is at if
> anyone's interested.

I didn't see a direct link to the fix anywhere, but it's pretty clear
that the right thing to do is call strftime (a clean interface that
lacks global state and thread-safety problems) and/or strftime_l and
never use ctime/asctime.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.