Hi,
I'd like to seek advice before I perform a mass-bug filing for this
unstable (though semi-common) use of "sprintf" and "snprintf":
sprintf(buf, "%s foo %d %d", buf, var1, var2);
This is used in many upstreams to perform a format-string-handling
version of strcat.
This was originally noticed by Anders Kaseorg in Ubuntu[1], since
-D_FORTIFY_SOURCE=2 triggers a change in behavior (buf is truncated before
handling the rest of the format string instead of performing the concat).
Upstream glibc points out[2] that using sprintf in this way is undefined
under C99, and the man pages have now been updated[3] to reflect this.
(Though I believe it is possible to patch glibc to avoid the change in
behavior, it's probably best to work on fixing all the upstreams.)
In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
and some have Build-Depends on "hardening-wrapper", which enables this
compiler flag. As such, it seems sensible to have all affected packages
fixed since the results of such a call could change. (Though it is not an
RC issue.)
And, a possible solution from Anders Kaseorg...
This example sprintf() call could be fixed as follows:
-sprintf(buf, "%s plus %d", buf, k);
+sprintf(buf + strlen(buf), " plus %d", k);
Similarly, an invalid snprintf() call could be fixed as follows:
-snprintf(buf, buflen, "%s plus %d", buf, k);
+snprintf(buf + strlen(buf), buflen - strlen(buf), " plus %d", k);
Attached is a list of affected packages, generated via:
pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
The logs for individual packages can be seen here[4]. I've tried to trim
out stuff that was Ubuntu-specific or not relevant, so apologies in advance
if there are incorrect (or missing) things in the list.
Thoughts?
Thanks,
-Kees
[1] https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/305901
[2] http://sourceware.org/bugzilla/show_bug.cgi?id=7075
[3] http://article.gmane.org/gmane.linux.man/639
[4] http://people.ubuntu.com/~kees/sprintf-glibc/logs/
--
Kees Cook @debian.org
4g8
abiword
ace
adplug
afnix
afterstep
aqualung
arrayprobe
asterisk
audacious-plugins
avr-evtd
barnowl
barrage
billard-gl
binutils
binutils-avr
binutils-h8300-hms
binutils-m68hc1x
black-box
blender
blobandconquer
blobwars
bochs
bomberclone
bumprace
cal
canna
cbflib
cdw
cfs
cpad-kernel
cpqarrayd
cricket
criticalmass
crossfire
ctn
curl
dact
db4.2
dc-qt
desmume
dwww
dx
ebview
eggdrop
emil
epiphany
espeak
ettercap
evolution-data-server
freedink
fvwm
gabedit
gaby
gamix
gammu
gatos
gcc-3.3
gcc-3.4
gcc-4.1
gcc-4.2
gcc-4.3
gcc-m68hc1x
gcc-snapshot
gcl
gclcvs
gcolor2
gcom
gdal
gdb
gdb-avr
gdb-m68hc1x
gdis
genesis
gmt
gnat-gps
gnome-games
gnuchess
gnuplot
gpe-conf
gplcver
gpstrans
grace
grass
gridengine
grmonitor
gromacs
gtk-imonc
htdig
hypermail
iaxclient
ifmail
insight
ircd-hybrid
ircd-ratbox
ircii
isdnutils
kdeedu
kover
l2tpns
lcdproc
lesstif2
lftp
libcdk5
libgsl-ruby
liblunar
libopenobex
libpar-packer-perl
libsmi
libstatgrab
libx11
linux-2.6
logtool
lopster
ltp
luola
mafft
man2html
mapserver
med-fichier
micro-evtd
mindi-busybox
mod-bt
mondo
mozart
mp3rename
mp3splt
mplayer
mrpt
multi-aterm
mysql-dfsg-5.0
mysql-gui-tools
nagios-plugins
nap
ncbi-tools6
netatalk
nws
oftc-hybrid
ogdi-dfsg
openbabel
openmx
osiris
owl
packit
paraview
pari
pcsx
pcsx-df
penguin-command
pennmush
player
plib
pload
plotmtv
pocketpc-binutils
pocketpc-gas
prismstumbler
psemu-video-x11
psqlodbc
qpopper
restartd
rockdodger
root-system
rudiments
samba
screader
scrollkeeper
sdlperl
sextractor
shadow
sidplay
sidplay-libs
sip-tester
slony1
smsclient
sqlrelay
starfighter
swish-e
symmetrica
tack
tcpick
tcptrack
tetrinetx
tgif
timidity
tn5250
trueprint
uclmmbase
ude
uim
unicon
unixodbc
unpaper
user-mode-linux
uucpsend
varkon
vbpp
vdr-plugin-weather
vdr-plugin-xineliboutput
viruskiller
vlc
vrflash
vtk
vzquota
w-bassman
wacom-tools
wayv
welcome2l
wmfrog
wmi
xabacus
xawtv
xball
xbill
xenomai
xfce4-mpc-plugin
xgalaga
xmcd
xpilot-ng
xtrkcad
xulrunner
xxgdb
yap
yasm
z88dk
