On Sat, Aug 28, 2021 at 02:38:27PM +0200, Christian Göttsche wrote: > Source: ncurses > Version: 6.2+20201114-4 > Tags: security > > The interface functions mvprintw(3), mvwprintw(3), printw(3), > wprintw(3) and _tracef(3) take a format string as input. > Format string are prone for attacks[1]. > To mitigate those modern compilers support format string > attributes[2,3] to warn at compile time on misuses, e.g. a specifier > mismatches. > In ncurses these function attributes are not enabled by default, they > are only enabled when defining the macros GCC_PRINTF and GCC_SCANF.
sure - they're conditioned on a nonstandard extension to C. Debian can provide some patch which hardcodes that condition, but as I recall it, there's no clean way to provide this in standard C. (if I've overlooked some feature of C11, etc., that detail should be provided as a followup to this bug report). -- Thomas E. Dickey <dic...@invisible-island.net> https://invisible-island.net ftp://ftp.invisible-island.net
signature.asc
Description: PGP signature
