oss-sec mailing list archives

Re: Nagios format string issues

From: Tomas Hoger <thoger () redhat com>
Date: Thu, 7 Oct 2010 10:55:49 +0200

On Wed, 6 Oct 2010 21:56:09 +0200 Oden Eriksson wrote:

I just extracted the patches I made at the time. I cannot tell which
of them deserves CVE assignments though. I have put them here:

http://n1.nux.se/work/format_not_a_string_literal_and_no_format_arguments/


Did you use any specific way to identify all these?  From a quick look
at a few randomly chosen patches, there seem to be cases where one call
was fixed, other left unchanged.  That's only for the code visible in
the context diff.

There are few incorrect fixes too:

-  g_snprintf (gev.data.b, sizeof (gev.data.b), message);
+  g_snprintf (gev.data.b, sizeof (gev.data.b), message, "%s");

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

Nagios format string issues Florian Weimer (Oct 05)
- Re: Nagios format string issues Oden Eriksson (Oct 06)
- <Possible follow-ups>
- Re: Nagios format string issues Josh Bressers (Oct 06)
  - Re: Nagios format string issues Steven M. Christey (Oct 06)
  - Re: Nagios format string issues Oden Eriksson (Oct 06)
    - Re: Nagios format string issues Tomas Hoger (Oct 07)
    - Re: Nagios format string issues Oden Eriksson (Oct 12)