Re: mass bug filing for undefined sn?printf use
On Wed, Dec 31, 2008 at 07:01:44PM -0800, Nicholas Breen wrote:
> While fixing one of the affected packages, I discovered that it was
> using similarly problematic syntax to act as a strcat replacement of the
> form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch. I
> can't imagine that's a common mistake, but it's easy enough to match on
> as well:
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]'
Oh! Good catch, thank you. I've started a re-run with the regex changed.
So far, it's already caught new stuff. I'll post updated details once it
Kees Cook @debian.org