Re: mass bug filing for undefined sn?printf use

To: debian-devel@lists.debian.org
Subject: Re: mass bug filing for undefined sn?printf use
From: Thomas Viehmann <tv@beamnet.de>
Date: Sun, 28 Dec 2008 15:10:37 +0100
Message-id: <[🔎] 495788DD.6090506@beamnet.de>
In-reply-to: <[🔎] 20081228084246.GE12532@outflux.net>
References: <[🔎] 20081228084246.GE12532@outflux.net>

Kees Cook wrote:
> Attached is a list of affected packages, generated via:
> 
>   pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
>   pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> 
> The logs for individual packages can be seen here[4].  I've tried to trim
> out stuff that was Ubuntu-specific or not relevant, so apologies in advance
> if there are incorrect (or missing) things in the list.
> 
> Thoughts?

How about either matching stuff against the build logs or recompiling
with a compiler that actually fails when asked to compile a file that
matches? That would seem to have potential for reducing the number of
false positives.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Reply to:

Follow-Ups:
- Re: mass bug filing for undefined sn?printf use
  - From: Kees Cook <kees@outflux.net>

References:
- mass bug filing for undefined sn?printf use
  - From: Kees Cook <kees@outflux.net>

Prev by Date: Bug#510005: ITP: touchfreeze -- a facility for disabling touchpad tap-to-click function
Next by Date: Re: mass bug filing for undefined sn?printf use
Previous by thread: Re: mass bug filing for undefined sn?printf use
Next by thread: Re: mass bug filing for undefined sn?printf use
Index(es):
- Date
- Thread