Re: mass bug filing for undefined sn?printf use

To: debian-devel@lists.debian.org
Subject: Re: mass bug filing for undefined sn?printf use
From: nbreen@ofb.net (Nicholas Breen)
Date: Wed, 31 Dec 2008 19:01:44 -0800
Message-id: <[🔎] 20090101030144.GA23247@ofb.net>
In-reply-to: <20081228084246.GE12532@outflux.net>
References: <20081228084246.GE12532@outflux.net>

On Sun, Dec 28, 2008 at 12:42:46AM -0800, Kees Cook wrote:
> Hi,
> 
> I'd like to seek advice before I perform a mass-bug filing for this
> unstable (though semi-common) use of "sprintf" and "snprintf":
[...]
>   pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'

While fixing one of the affected packages, I discovered that it was
using similarly problematic syntax to act as a strcat replacement of the
form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch.  I
can't imagine that's a common mistake, but it's easy enough to match on
as well:

  pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]'

> gabedit
> gromacs
> openbabel

All pending upload, thanks.

-- 
Nicholas Breen
nbreen@ofb.net

Reply to:

Follow-Ups:
- Re: mass bug filing for undefined sn?printf use
  - From: Kees Cook <kees@outflux.net>

Prev by Date: Re: Override changes standard -> optional
Next by Date: Re: Override changes standard -> optional
Previous by thread: Re: RFC: adding pre-depends to libpam-modules for lenny
Next by thread: Re: mass bug filing for undefined sn?printf use
Index(es):
- Date
- Thread