[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Nagios format string issues
From:       Oden Eriksson <oeriksson () mandriva ! com>
Date:       2010-10-12 15:11:44
Message-ID: 201010121711.44451.oeriksson () mandriva ! com
[Download RAW message or body]

torsdag 07 oktober 2010 10:55:49 skrev  Tomas Hoger:
> On Wed, 6 Oct 2010 21:56:09 +0200 Oden Eriksson wrote:
> > I just extracted the patches I made at the time. I cannot tell which
> > of them deserves CVE assignments though. I have put them here:
> > 
> > http://n1.nux.se/work/format_not_a_string_literal_and_no_format_arguments
> > /
> 
> Did you use any specific way to identify all these?  From a quick look
> at a few randomly chosen patches, there seem to be cases where one call
> was fixed, other left unchanged.  That's only for the code visible in
> the context diff.

This was discovered when we started using -Wformat -Werror=format-security 
 
> There are few incorrect fixes too:
> 
> -  g_snprintf (gev.data.b, sizeof (gev.data.b), message);
> +  g_snprintf (gev.data.b, sizeof (gev.data.b), message, "%s");

Whoops!

-- 
Regards // Oden Eriksson
Security team manager - Mandriva
CEO NUX AB
[prev in list] [next in list] [prev in thread] [next in thread]