[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Nagios format string issues
From: Oden Eriksson <oeriksson () mandriva ! com>
Date: 2010-10-12 15:11:44
Message-ID: 201010121711.44451.oeriksson () mandriva ! com
[Download RAW message or body]
torsdag 07 oktober 2010 10:55:49 skrev Tomas Hoger:
> On Wed, 6 Oct 2010 21:56:09 +0200 Oden Eriksson wrote:
> > I just extracted the patches I made at the time. I cannot tell which
> > of them deserves CVE assignments though. I have put them here:
> >
> > http://n1.nux.se/work/format_not_a_string_literal_and_no_format_arguments
> > /
>
> Did you use any specific way to identify all these? From a quick look
> at a few randomly chosen patches, there seem to be cases where one call
> was fixed, other left unchanged. That's only for the code visible in
> the context diff.
This was discovered when we started using -Wformat -Werror=format-security
> There are few incorrect fixes too:
>
> - g_snprintf (gev.data.b, sizeof (gev.data.b), message);
> + g_snprintf (gev.data.b, sizeof (gev.data.b), message, "%s");
Whoops!
--
Regards // Oden Eriksson
Security team manager - Mandriva
CEO NUX AB
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic