From owner-freebsd-current@FreeBSD.ORG  Mon Oct 21 23:07:52 2013
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id EDCDB96
 for <freebsd-current@freebsd.org>; Mon, 21 Oct 2013 23:07:51 +0000 (UTC)
 (envelope-from sean_bruno@yahoo.com)
Received: from nm2-vm5.bullet.mail.gq1.yahoo.com
 (nm2-vm5.bullet.mail.gq1.yahoo.com [98.136.218.132])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id AD7E22DA4
 for <freebsd-current@freebsd.org>; Mon, 21 Oct 2013 23:07:51 +0000 (UTC)
Received: from [216.39.60.181] by nm2.bullet.mail.gq1.yahoo.com with NNFMP;
 21 Oct 2013 23:00:58 -0000
Received: from [208.71.42.197] by tm17.bullet.mail.gq1.yahoo.com with NNFMP;
 21 Oct 2013 23:00:58 -0000
Received: from [127.0.0.1] by smtp208.mail.gq1.yahoo.com with NNFMP;
 21 Oct 2013 23:00:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
 t=1382396458; bh=15qGdzIT7KlFZthMNFQgpiXvbna0igmxcAzq5KMV/ks=;
 h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Subject:From:Reply-To:To:Cc:In-Reply-To:References:Content-Type:Date:Message-ID:Mime-Version:X-Mailer;
 b=m2LxzIFDFlrm8ZVNQH6O8LqbXJmsVqPNhbpDjFoGX5ZwIS1qzi0vgD5Jn1JHr5JZ465JrQudbd2K9S5shdceDCgIHWL9YY0ymdO62sMRLn1wMJYj/U2eXUcW86Swnqv/fNi7VpCqNyTRX+SuhV5Y2i1sId62be33krw9ubGZK/4=
X-Yahoo-Newman-Id: 565919.15257.bm@smtp208.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: ijXbnb4VM1nHbcePMnR2Y6Cw4JNk5XU1sdzKB_YRR9b1QOF
 bhxj9EwsiukudIr02sZxUXY7be2Fbb0z6CH6D0rokQ7aqg7YkzSRK40v0h6I
 fFKI8JuUG88.l3b3ICNGdP2iVpMso7yHb.cdMd1YkIkSmC4x9IlSQIFt3Nzk
 T4bFZKbZmhLZOhPN8CoJyNv6HGLHKQqNgkraAW4fsgIu5JqVoCyXOqBQcBbX
 TTBGe_auNCzXkbvWA0nld4PKpxjlJjpt1X_NG2nyHvrQfb.zSl94KuelgNG9
 4rWUKE01VwxcmrC4srMF0SVFushvUP4KKOOtdJ1FgUeaPZq5BPslD22hbITI
 IrbBsNZpiMPG6CqVwDZ1kv7qkflSTymqPTZT.21AleWNplKZ.hwuWgecH4N2
 J9IjL3nV3NVGo4IgR4c.DQzVYmKFwCbAuYY_c0UsGR6TdPx6hhUnDHOTkox1
 VHCXFw6HlO8IvxA.w.z5kp__SSeqsZ1D4K4fF1mEr1WPyUBF.g0Z7RSfx7fe
 f.LEmNlssNXA0bnNcre6CUyZalvzbNlue034mpUIl_e7lBm25Q2oVWUxlTmy
 hZ7KeQXv9
X-Yahoo-SMTP: u5BKR6OswBC_iZJVfGRoMkTIpc8pEA4-
X-Rocket-Received: from [192.168.1.3] (sean_bruno@96.47.64.130 with )
 by smtp208.mail.gq1.yahoo.com with SMTP; 21 Oct 2013 16:00:58 -0700 PDT
Subject: Re: contrib/gcclibs/libssp security warning
From: Sean Bruno <sean_bruno@yahoo.com>
To: Dimitry Andric <dim@FreeBSD.org>
In-Reply-To: <543E81FB-3C62-4CE6-B2D4-63A0ED7CE006@FreeBSD.org>
References: <1382327252.2610.2.camel@localhost>
 <543E81FB-3C62-4CE6-B2D4-63A0ED7CE006@FreeBSD.org>
Content-Type: multipart/signed; micalg="pgp-sha1";
 protocol="application/pgp-signature"; boundary="=-ol176hfl+8sjbf2rDUdt"
Date: Mon, 21 Oct 2013 19:00:56 -0400
Message-ID: <1382396456.7749.0.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port 
Cc: freebsd-current@freebsd.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: sbruno@freebsd.org
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2013 23:07:52 -0000


--=-ol176hfl+8sjbf2rDUdt
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

On Mon, 2013-10-21 at 08:44 +0200, Dimitry Andric wrote:
> On Oct 21, 2013, at 05:47, Sean Bruno <sean_bruno@yahoo.com> wrote:
> > There's an unchecked syslog call inside of libssp/ssp.c=20
> >=20
> >=20
> > /usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
> > warning: format string is not a string literal (potentially insecure)
> >      [-Wformat-security]
> >    syslog (LOG_CRIT, msg1);
> >                      ^~~~
> > 1 warning generated.
> > /usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
> > warning: format string is not a string literal (potentially insecure)
> >      [-Wformat-security]
> >    syslog (LOG_CRIT, msg1);
> >=20
> > I propose the following change:
> >=20
> > Index: contrib/gcclibs/libssp/ssp.c
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > --- contrib/gcclibs/libssp/ssp.c        (revision 256712)
> > +++ contrib/gcclibs/libssp/ssp.c        (working copy)
> > #ifdef HAVE_SYSLOG_H
> >   /* Only send the error to syslog if there was no tty available.  */
> >   else
> > -    syslog (LOG_CRIT, msg3);
> > +    syslog (LOG_CRIT, "%s", msg3);
> > #endif /* HAVE_SYSLOG_H */
> >=20
>=20
>=20
> Heh, this is also still in upstream gcc. :-)  It should not be a real
> security problem, as the fail() function is only ever called twice, with
> predictable const char arguments.  But better safe than sorry, so LGTM.
>=20
> -Dimitry
>=20


done at svn r256866

sean

--=-ol176hfl+8sjbf2rDUdt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQEcBAABAgAGBQJSZbIoAAoJEBkJRdwI6BaH22IIAIjOhyLeYHF0fb99r2+gVTvG
ArPreu0A5hl0oq3+PZWNkmRv77FxjH027L+Bog+FQMATE61VQL///gB90BfW25EZ
2nlr6jjEsoTbtTLunDY/PHByypV38ZXtiHJNPADY3/sP96xfFsRUgonHQeYvnfEj
dtwGXAoLJjoZae34FwpZnSic9BnE/OnCw4Lt5BpW8P0P6CRofkwmnO5KqtrT4RuU
xj08KtaE/c2/PzpPSNiucF0gVAK1vNiF1sOG6N2zwzyWUCZYQyZopuLlH295RKA8
1CYDuiqtgDGxMckKyYd18ezfNeeNehZRALpSS1Y+lbYxcwmVMr7RcCvDgOxkBL0=
=Xnnn
-----END PGP SIGNATURE-----

--=-ol176hfl+8sjbf2rDUdt--