Re: mass bug filing for undefined sn?printf use
Kees Cook wrote:
> Attached is a list of affected packages, generated via:
>
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
>
> The logs for individual packages can be seen here[4]. I've tried to trim
> out stuff that was Ubuntu-specific or not relevant, so apologies in advance
> if there are incorrect (or missing) things in the list.
>
> Thoughts?
How about either matching stuff against the build logs or recompiling
with a compiler that actually fails when asked to compile a file that
matches? That would seem to have potential for reducing the number of
false positives.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Reply to: