Inquiry: Security Hardening in IANA tz Database 2025c and ICU Build Tools

[Vaishnav Katiyar]

Dear ICU Team,

 

I wanted to bring to your attention the recent security hardening introduced in the IANA tz database 2025c release. This version includes significant improvements to the handling of the TZ environment variable and related timezone parsing functions, specifically aimed at mitigating code injection and path traversal risks during timezone file processing.

Currently, ICU is using a snapshot of tzcode 2014b, which predates these security enhancements. While I understand that the ICU runtime libraries use independent timezone implementations (and thus there is no runtime impact), the build pipeline tools (such as zic and tz2icu) still utilize the older tzcode. This presents a potential risk if the build environment is not fully controlled.

Could you please advise on the following:

• Are there any plans to upgrade ICU’s bundled tzcode to a more recent version (e.g., 2025c) with these security improvements?
• What mitigation steps or best practices would you recommend to reduce risk when using the current build tools?
• Do you have any guidance for securing or updating the build pipeline until ICU adopts a newer tzcode version?

 

Thank you very much for your guidance and support.

 

Best regards,

Vaishnav