Date: Mon, 21 Oct 2013 08:44:10 +0200 From: Dimitry Andric <dim@FreeBSD.org> To: Sean Bruno <sbruno@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: contrib/gcclibs/libssp security warning Message-ID: <543E81FB-3C62-4CE6-B2D4-63A0ED7CE006@FreeBSD.org> In-Reply-To: <1382327252.2610.2.camel@localhost> References: <1382327252.2610.2.camel@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_C37DAA12-FB1B-465C-8351-3D6534616E64 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On Oct 21, 2013, at 05:47, Sean Bruno <sean_bruno@yahoo.com> wrote: > There's an unchecked syslog call inside of libssp/ssp.c > > > /usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23: > warning: format string is not a string literal (potentially insecure) > [-Wformat-security] > syslog (LOG_CRIT, msg1); > ^~~~ > 1 warning generated. > /usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23: > warning: format string is not a string literal (potentially insecure) > [-Wformat-security] > syslog (LOG_CRIT, msg1); > > I propose the following change: > > Index: contrib/gcclibs/libssp/ssp.c > =================================================================== > --- contrib/gcclibs/libssp/ssp.c (revision 256712) > +++ contrib/gcclibs/libssp/ssp.c (working copy) > #ifdef HAVE_SYSLOG_H > /* Only send the error to syslog if there was no tty available. */ > else > - syslog (LOG_CRIT, msg3); > + syslog (LOG_CRIT, "%s", msg3); > #endif /* HAVE_SYSLOG_H */ > Heh, this is also still in upstream gcc. :-) It should not be a real security problem, as the fail() function is only ever called twice, with predictable const char arguments. But better safe than sorry, so LGTM. -Dimitry --Apple-Mail=_C37DAA12-FB1B-465C-8351-3D6534616E64 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iEYEARECAAYFAlJkzUIACgkQsF6jCi4glqNCTwCfcIZQeCSmRSW8Fs+1p4fmb0PS sL8An2rfhYE/4R6ywloijuExl2Hkr5Yo =nTf9 -----END PGP SIGNATURE----- --Apple-Mail=_C37DAA12-FB1B-465C-8351-3D6534616E64--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?543E81FB-3C62-4CE6-B2D4-63A0ED7CE006>