The tzsetup command has been included in a CI report due to its use of strcpy(). While this particular use is save and the report is a false positive given the constant strings copied in to a PATH_MAX sized buffer, there is an actual potential buffer overrun nearby where the unbounded size value of chrootenv is assigned to fixed size buffers.
While the strcpy() uses are safe unless the _PATH_* defines are changed, I propose to silence the CI report by use of strlcpy.
The sprintf() calls are replaced by snprintf() to prevent overflow. (Not reported by CI.)