I believe this fixes vulnerability #3 from CERT CA-1999-11.[1] The other uses of sprintf in DtAction seem to be safe.
-Rob [1] https://www.cert.org/advisories/CA-1999-11.html Signed-off-by: Robert Tomsick <rob...@tomsick.net> --- cde/programs/dtaction/Main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cde/programs/dtaction/Main.c b/cde/programs/dtaction/Main.c index cecdceb..087aa4b 100644 --- a/cde/programs/dtaction/Main.c +++ b/cde/programs/dtaction/Main.c @@ -898,7 +898,7 @@ GetUserPrompt( void ) XmString cancelLabel; XmString okLabel; - sprintf(prompt, (GETMESSAGE(1,5, "Enter password for user %s:")), + snprintf(prompt, BUFSIZ, (GETMESSAGE(1,5, "Enter password for user %s:")), appArgs.user); xmString = XmStringCreateLocalized(prompt); xmString2 =XmStringCreateLocalized(GETMESSAGE(1,6, "Action Invoker - Password")); -- 1.7.10.4 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
