Date: Mon, 7 Oct 2002 21:12:14 +0300 (EEST) From: eugene@bran-fag.org To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/43777: the file name is used as a format string by nvi Message-ID: <200210071812.VAA62977@kabir.zssm.zp.ua>
next in thread | raw e-mail | index | archive | help
>Number: 43777
>Category: bin
>Synopsis: the file name is used as a format string by nvi
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 07 11:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Eugene Polovnikov
>Release: FreeBSD 4.7-RC i386
>Organization:
>Environment:
I guess this bug present in all versions of NVI at least since 1.79
>Description:
The name of the written file is used as a part of a format string for vsnprintf
in msgq() in the result of non-accurate(???) usage of snprintf in
lines 976 & 982 of common/extf.c
>How-To-Repeat:
just edit any file that contains printf-like format codes in the name and
look to messages after file be written.
>Fix:
may be not a really fix, but only a work around:
--- exf.c.ORIG Mon Oct 7 21:00:26 2002
+++ exf.c Mon Oct 7 21:03:55 2002
@@ -1004,7 +1004,7 @@
*--s = '.';
}
}
- msgq(sp, M_INFO, s);
+ msgq(sp, M_INFO, "%s", s);
if (nf)
FREE_SPACE(sp, p, 0);
return (0);
and another path, not directly related, but it can close similar problems:
--- msg.c.orig Mon Oct 7 21:05:35 2002
+++ msg.c Mon Oct 7 21:06:30 2002
@@ -368,7 +368,7 @@
char *p;
if (str == NULL) {
- msgq(sp, mtype, fmt);
+ msgq(sp, mtype, "%s", fmt);
return;
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210071812.VAA62977>