[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mass bug filing for undefined sn?printf use

Kees Cook wrote:
> Attached is a list of affected packages, generated via:
>   pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
>   pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> The logs for individual packages can be seen here[4].  I've tried to trim
> out stuff that was Ubuntu-specific or not relevant, so apologies in advance
> if there are incorrect (or missing) things in the list.
> Thoughts?

How about either matching stuff against the build logs or recompiling
with a compiler that actually fails when asked to compile a file that
matches? That would seem to have potential for reducing the number of
false positives.

Kind regards

Thomas Viehmann, http://thomas.viehmann.net/

Reply to: