Closed tbu- closed 1 month ago
Is there a specific change you're proposing here? AFAICT the current relevant text is:
This requires an environment variable to be set in a different thread than the affected functions.
Yes, that it only requires an environment variable to be read in a different thread than the affected functions.
This requires an environment variable to be ~set~ read in a different thread than the affected functions.
If the vulnerability required setting an environment variable in another thread, it wouldn't be a vulnerability according to the discussion in #1190. The crate in question also sets environment variables though: #1258, so reading environment variables in another thread is enough to trigger the vulnerability.
Okay, want to open a PR with the proposed change?
@briansmith wrote: