From owner-freebsd-bugs Mon Oct 7 11:20: 9 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54E3237B401 for ; Mon, 7 Oct 2002 11:20:07 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EE0C43E97 for ; Mon, 7 Oct 2002 11:20:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g97IK6Co096841 for ; Mon, 7 Oct 2002 11:20:06 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g97IK6QX096840; Mon, 7 Oct 2002 11:20:06 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C12C37B401 for ; Mon, 7 Oct 2002 11:12:56 -0700 (PDT) Received: from kabir.zssm.zp.ua (kabir.zssm.zp.ua [212.8.32.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF97243E4A for ; Mon, 7 Oct 2002 11:12:51 -0700 (PDT) (envelope-from eugene@kabir.zssm.zp.ua) Received: (from eugene@localhost) by kabir.zssm.zp.ua (8.9.3/8.9.3) id VAA62977; Mon, 7 Oct 2002 21:12:14 +0300 (EEST) (envelope-from eugene) Message-Id: <200210071812.VAA62977@kabir.zssm.zp.ua> Date: Mon, 7 Oct 2002 21:12:14 +0300 (EEST) From: eugene@bran-fag.org Reply-To: eugene@brain-fag.org To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.2 Subject: bin/43777: the file name is used as a format string by nvi Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43777 >Category: bin >Synopsis: the file name is used as a format string by nvi >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 07 11:20:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Eugene Polovnikov >Release: FreeBSD 4.7-RC i386 >Organization: >Environment: I guess this bug present in all versions of NVI at least since 1.79 >Description: The name of the written file is used as a part of a format string for vsnprintf in msgq() in the result of non-accurate(???) usage of snprintf in lines 976 & 982 of common/extf.c >How-To-Repeat: just edit any file that contains printf-like format codes in the name and look to messages after file be written. >Fix: may be not a really fix, but only a work around: --- exf.c.ORIG Mon Oct 7 21:00:26 2002 +++ exf.c Mon Oct 7 21:03:55 2002 @@ -1004,7 +1004,7 @@ *--s = '.'; } } - msgq(sp, M_INFO, s); + msgq(sp, M_INFO, "%s", s); if (nf) FREE_SPACE(sp, p, 0); return (0); and another path, not directly related, but it can close similar problems: --- msg.c.orig Mon Oct 7 21:05:35 2002 +++ msg.c Mon Oct 7 21:06:30 2002 @@ -368,7 +368,7 @@ char *p; if (str == NULL) { - msgq(sp, mtype, fmt); + msgq(sp, mtype, "%s", fmt); return; } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message