From owner-freebsd-current@FreeBSD.ORG Mon Oct 21 03:50:47 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id DF5138D6 for ; Mon, 21 Oct 2013 03:50:46 +0000 (UTC) (envelope-from sean_bruno@yahoo.com) Received: from nm3-vm3.bullet.mail.gq1.yahoo.com (nm3-vm3.bullet.mail.gq1.yahoo.com [98.136.218.146]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id ACD0526C8 for ; Mon, 21 Oct 2013 03:50:46 +0000 (UTC) Received: from [98.137.12.56] by nm3.bullet.mail.gq1.yahoo.com with NNFMP; 21 Oct 2013 03:47:33 -0000 Received: from [98.136.164.75] by tm1.bullet.mail.gq1.yahoo.com with NNFMP; 21 Oct 2013 03:47:33 -0000 Received: from [127.0.0.1] by smtp237.mail.gq1.yahoo.com with NNFMP; 21 Oct 2013 03:47:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1382327253; bh=nwZPD0HoHS0FwPPIje7kQspXMDyNNsA9135kw/kFhg0=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Subject:From:Reply-To:To:Content-Type:Date:Message-ID:Mime-Version:X-Mailer; b=KwxzISs/Qk9VUiT/9ZCM6XLSJKRa7/6gqWIsKZqZxa+0tjojhQGervn+WzvHpWg/grKfYmSw6omoVXIRzsPtF77C1v0jeaf39VwvJ1HAaHiC90Z062wJoeTU4x+QL1Lpd1UkO+5R6Uq6e27EMyLuroSOues/C5K85UwnhqekJ5w= X-Yahoo-Newman-Id: 898814.2634.bm@smtp237.mail.gq1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 5MjwK8YVM1luomnmFm_E5EcSacbgoK6DdHwi8lZF5p7AsmG R0q4DXoLcVWCPIAHBeIpswwQzY..5PbLuycmQO1llpJxby.SUL2G4O98.t7x VdrBgVjJdxbsWJ9CbN7edYmAMeWGhAayJbIOb_znFovP6YwC9xAiCmWcdvtl yJFcF2BsgjBE4yfEdXr7L6iX6SkUBKjevMODSrXzx6U9JkLij_Nszhx_VKP0 ON6P_aA9Ysfc111PDuMxkSDKict2zVAeSurNodC_b30aqYFGjWfDUwh3IDY_ lQuV4uFhoEvNMzlwApU8JvxBGD7C.mhOZtWx6CCiwCl3tMXGFkGA3hsWhswr 4xY_1HwjeNk1XRkkyR11asNiPaw4lskEiUXUWjNTvbQzyDWEsO10PKk3J4i5 88XMEcIjkIgr9T50GzKJv_ZazmOiEdiHWmkJfCS9NrSafeq6c76Cnrkos.V2 j5a.zD.cqstHRTKksoLRiEKByXlMt_.bCga6p50JbSpm_m6bb7g.2pibVsU. 1dbXunRy4RdfCaJcodvdOkSbtAkf10HW5.H7XROFo8vkG0LUW8gHsOY52mdr KLlldt03iVIM- X-Yahoo-SMTP: u5BKR6OswBC_iZJVfGRoMkTIpc8pEA4- X-Rocket-Received: from [192.168.100.108] (sean_bruno@63.138.121.126 with ) by smtp237.mail.gq1.yahoo.com with SMTP; 21 Oct 2013 03:47:33 +0000 UTC Subject: contrib/gcclibs/libssp security warning From: Sean Bruno To: "freebsd-current@freebsd.org" Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-SCVsG8ShyQquYQTOfI/7" Date: Sun, 20 Oct 2013 23:47:32 -0400 Message-ID: <1382327252.2610.2.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: sbruno@freebsd.org List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Oct 2013 03:50:47 -0000 --=-SCVsG8ShyQquYQTOfI/7 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable There's an unchecked syslog call inside of libssp/ssp.c=20 /usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security] syslog (LOG_CRIT, msg1); ^~~~ 1 warning generated. /usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security] syslog (LOG_CRIT, msg1); I propose the following change: Index: contrib/gcclibs/libssp/ssp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- contrib/gcclibs/libssp/ssp.c (revision 256712) +++ contrib/gcclibs/libssp/ssp.c (working copy) #ifdef HAVE_SYSLOG_H /* Only send the error to syslog if there was no tty available. */ else - syslog (LOG_CRIT, msg3); + syslog (LOG_CRIT, "%s", msg3); #endif /* HAVE_SYSLOG_H */ --=-SCVsG8ShyQquYQTOfI/7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQEcBAABAgAGBQJSZKPUAAoJEBkJRdwI6BaHq0kH/iToLXvto+T1OE8ZOFhHVJW3 0OJSderLrt6TBIRcKlgD5Rdt8YgdqIAlolBLmn6hhLrqLcw82iIa0lH4brEhAFYF exhtAfa5/GfB+ty+h5Gvu3MG479S6krBQH6UqFwtgjGqTs8gnwQ9V+rRYCPc8Dzb wyN9M6mF96XOyejhNdNIj7n8Nn0z3hrrJFtDSI+QL2lPTewBRxh/jXabwaGb41w0 9Q6Cuelj8CD0FsKbGWcT9K6JPcGRIsMx8Z2wG5csQ3KVmueUNkT7w3oswwJO88Vi ViwECsPvljJIzPGpc+64xlOzo9eDSxN02uMONyBuWltSpjokXog+6iNX/sB8kSk= =nhDc -----END PGP SIGNATURE----- --=-SCVsG8ShyQquYQTOfI/7--