Bug#670993: busybox: Please use dpkg-buildflags for hardening support
On 14.05.2012 23:13, Jonathan Nieder wrote:
> Michael Tokarev wrote:
>
>> That's the constructs like this:
>>
>> bb_error_msg_and_die(bb_msg_memory_exhausted);
>>
>> where bb_msg_memory_exhausted is declared as extern char *.
>> This is a poor-man implementation of internal constant
>> string folding done by gcc for years.
>
> How about this patch? It fixes a few bugs, if I understand correctly
> (for example, "stat -Z <string with % signs in it>" passes that string
> to vasprintf, allowing privilege escalation if a privileged script
> uses a user-specified string in that argument). I fear it would
> increase the text size, though.
>
> A better patch might involve introducing a separate
>
> bb_error_msgf
>
> function for callers that want to pass a format and letting
> bb_error_msg take a simple string, or turning bb_msg_memory_exhausted
> et al into string literals as you suggested.
I'm not upstream, but I still don't think this is a right approach.
Almost all uses of bb_error_msg and friends are supposed to use
static/constant strings, and introducing additional "%s" is just
unnecessary. If I were upstream I'd reject this approach. But if
you think it is okay, please ask upstream about this approach --
I definitely don't want to carry such a patch in Debian.
The stat -Z case is a real bug however, and should be fixed
spearately. But this is - IMHO - a different story.
Thanks,
/mjt
Reply to: