Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Oct 2013 23:47:32 -0400
From:      Sean Bruno <sean_bruno@yahoo.com>
To:        "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
Subject:   contrib/gcclibs/libssp security warning
Message-ID:  <1382327252.2610.2.camel@localhost>
next in thread | raw e-mail | index | archive | help 

--=-SCVsG8ShyQquYQTOfI/7
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

There's an unchecked syslog call inside of libssp/ssp.c=20


/usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
warning: format string is not a string literal (potentially insecure)
      [-Wformat-security]
    syslog (LOG_CRIT, msg1);
                      ^~~~
1 warning generated.
/usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
warning: format string is not a string literal (potentially insecure)
      [-Wformat-security]
    syslog (LOG_CRIT, msg1);

I propose the following change:

Index: contrib/gcclibs/libssp/ssp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- contrib/gcclibs/libssp/ssp.c        (revision 256712)
+++ contrib/gcclibs/libssp/ssp.c        (working copy)
 #ifdef HAVE_SYSLOG_H
   /* Only send the error to syslog if there was no tty available.  */
   else
-    syslog (LOG_CRIT, msg3);
+    syslog (LOG_CRIT, "%s", msg3);
 #endif /* HAVE_SYSLOG_H */


--=-SCVsG8ShyQquYQTOfI/7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQEcBAABAgAGBQJSZKPUAAoJEBkJRdwI6BaHq0kH/iToLXvto+T1OE8ZOFhHVJW3
0OJSderLrt6TBIRcKlgD5Rdt8YgdqIAlolBLmn6hhLrqLcw82iIa0lH4brEhAFYF
exhtAfa5/GfB+ty+h5Gvu3MG479S6krBQH6UqFwtgjGqTs8gnwQ9V+rRYCPc8Dzb
wyN9M6mF96XOyejhNdNIj7n8Nn0z3hrrJFtDSI+QL2lPTewBRxh/jXabwaGb41w0
9Q6Cuelj8CD0FsKbGWcT9K6JPcGRIsMx8Z2wG5csQ3KVmueUNkT7w3oswwJO88Vi
ViwECsPvljJIzPGpc+64xlOzo9eDSxN02uMONyBuWltSpjokXog+6iNX/sB8kSk=
=nhDc
-----END PGP SIGNATURE-----

--=-SCVsG8ShyQquYQTOfI/7--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1382327252.2610.2.camel>