Hi Andreas, * Andreas Tille <[EMAIL PROTECTED]> [2008-05-16 15:53]: > On Fri, 16 May 2008, Nico Golde wrote: > > >>- sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]); > >>+ /* Fix CVE-2008-2149: buffer overflows Andreas Tille <[EMAIL > >>PROTECTED]> */ > >>+ sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]); > > > >Please use snprintf(tmpbuf, sizeof(tmpbuf), ... instead of this. > > I just followed > https://buildsecurityin.us-cert.gov/daisy/bsi-rules/home/g1/840.html > and unfortuantely it is to late now because the package just hit unstable. > Feel free to NMU if there are any reasons to do so. > > Just for the sake of interest: What is the essential difference between > the patch above and snprintf()?
I first thought the buffer you write into is also 200 bytes big then the 0 byte sprintf writes at the end would cause an off-by-one. I just saw that its 256 bytes big so this should be no problem. However I still prefer clean fixes and snprintf is the clean fix for boundary problems of sprintf. Anyway, nothing that needs to be fixed with an additional upload. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp0ne4sFaOLz.pgp
Description: PGP signature
