From owner-cvs-all Wed Oct 4 8:44:52 2000 Delivered-To: cvs-all@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id B4CC337B503; Wed, 4 Oct 2000 08:44:44 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id e94FifM15950; Wed, 4 Oct 2000 09:44:41 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id JAA36951; Wed, 4 Oct 2000 09:44:40 -0600 (MDT) Message-Id: <200010041544.JAA36951@harmony.village.org> To: Trevor Johnson Subject: Re: cvs commit: src/usr.sbin/vipw pw_util.c Cc: Peter Wemm , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org In-reply-to: Your message of "Wed, 04 Oct 2000 02:16:45 EDT." References: Date: Wed, 04 Oct 2000 09:44:40 -0600 From: Warner Losh Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message Trevor Johnson writes: : > peter 2000/10/03 22:42:23 PDT : > : > Modified files: (Branch: RELENG_3) : > usr.sbin/vipw pw_util.c : > Log: : > MFC: printf-style format fix. warn(string) -> warn("%s", string) : : Any relation to the "format string vulnerability in libutil pw_error(3) : function" advisory from OpenBSD? Yes. We fixed this months ago in all but the old branches... OpenBSD fixed it in about the same time period. There was a bugtraq posting that included exploit code for this that triggered the back merge. Peter and I had the same idea, because I made the merge and got uptodate check failed from CVS when I went to commit it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message