2 files changed, 9 insertions, 4 deletions

diff --git a/locale/findlocale.c b/locale/findlocale.c
index b651dbaaad..e2fdd06f6d 100644
--- a/locale/findlocale.c
+++ b/locale/findlocale.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996, 1997 Free Software Foundation, Inc.
+/* Copyright (C) 1996, 1997, 1998 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Ulrich Drepper <drepper@gnu.ai.mit.edu>, 1996.
 
@@ -20,6 +20,7 @@
 #include <locale.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 #include <sys/mman.h>
 
 #include "localeinfo.h"
@@ -51,7 +52,11 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
   const char *revision;
   struct loaded_l10nfile *locale_file;
 
-  if ((*name)[0] == '\0')
+  if ((*name)[0] == '\0'
+      /* In SUID binaries we must not allow people to access files
+	 outside the dedicated locale directories.  */
+      || (__libc_enable_secure
+	  && memchr (*name, '/', _nl_find_language (*name) - *name) != NULL))
     {
       /* The user decides which locale to use by setting environment
 	 variables.  */
diff --git a/locale/setlocale.c b/locale/setlocale.c
index 33599c64db..4b6a300481 100644
--- a/locale/setlocale.c
+++ b/locale/setlocale.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991, 1992, 1995, 1996, 1997 Free Software Foundation, Inc.
+/* Copyright (C) 1991, 92, 95, 96, 97, 98 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -360,7 +360,7 @@ setlocale (int category, const char *locale)
 	  /* We must not simply free a global locale since we have no
 	     control over the usage.  So we mark it as un-deletable.
 
-	     Note: do ont remove the `if', it's necessary to copy with
+	     Note: do not remove the `if', it's necessary to copy with
 	     the builtin locale data.  */
 	  if (newdata->usage_count != UNDELETABLE)
 	    newdata->usage_count = UNDELETABLE;