On Wednesday, July 1, 2020 4:47:51 PM EDT Sergio Belkin wrote:
> The line in the code is :
>
> if(upLogPerror) ::write(2,logbuf,n); \
>
> Regarding to " format not a string literal and no format arguments
> [-Werror=format-security]" message.
> Afaik instructions of kind printf(format,var1,var2,...) always be fail,
> since it can't verify in compile time that the format includes the number
> of variables that appears later.
>
> If the developer does not use entered formats by the user, the exploit
> disappear, doesn't it?
>
> So the question is: in this case I can override the Fedora compiler flags?
This is pointing to a potential exploit in the code. In general, this is the
pattern its detecting
char user_input[BUF_SIZE];
get_user_input(user_input);
printf(user_input);
The fix is to change the printf to
printf("%s", user_input);
Hope this helps...
-Steve
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
