On Thu, Jan 01, 2009 at 10:50:49AM -0800, Kees Cook wrote: > On Wed, Dec 31, 2008 at 07:01:44PM -0800, Nicholas Breen wrote: > > While fixing one of the affected packages, I discovered that it was > > using similarly problematic syntax to act as a strcat replacement of the > > form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch. I > > can't imagine that's a common mistake, but it's easy enough to match on > > as well: > > > > pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]' > > Oh! Good catch, thank you. I've started a re-run with the regex changed. > So far, it's already caught new stuff. I'll post updated details once it > has finished.
Attached is the updated list, which includes 57 new hits, and adds additional lines of affected code to gabedit, blender, desmume, and gpe-conf. I have a dump of the diff between the logs here[1]. The old logs have been moved to the "2008-12" subdirectory[2]. The "handled" list is here[3] and should reflect all the replies to this thread so far (if I missed something, please let me know and I'll get it fixed). The current list of affected Debian packages is here[4], attached, and also with the dd-list output. At what point should I convert this list into an actual mass-bug-filing? Thanks! -Kees [1] http://people.ubuntu.com/~kees/sprintf-glibc/changed.diff [2] http://people.ubuntu.com/~kees/sprintf-glibc/2008-12/ [3] http://people.ubuntu.com/~kees/sprintf-glibc/data/handled.pkgs [4] http://people.ubuntu.com/~kees/sprintf-glibc/debian -- Kees Cook @debian.org
abiword apache2 apr-util binutils cricket curl db4.2 espeak evolution-data-server gdb ggz-client-libs gcc-4.1 gcc-4.2 gcc-4.3 isdnutils kdeedu kino lftp libopenobex nagios-plugins mysql-dfsg-5.0 nas python-numpy sane-backends scrollkeeper shadow unixodbc wacom-tools xscreensaver 4g8 adplug afnix afterstep amideco aqualung arrayprobe audacious-plugins avr-evtd barnowl barrage billard-gl binutils-h8300-hms binutils-m68hc1x binutils-avr black-box blender blobwars blobandconquer bochs bomberclone ace bumprace cal canna cbflib cdw cfs chinput cpad-kernel criticalmass crossfire cpqarrayd ctn dact dc-qt desmume dwww dx ebview echoping eggdrop emil epiphany ettercap freedink fvwm gabedit gaby gamix gatos gcc-3.3 gcl gcc-m68hc1x gcolor2 gcom gclcvs gdal gdb-avr gdb-m68hc1x gcc-3.4 gcc-snapshot gdis genesis glide gmult gmt gnat-gps gnuchess gnuplot gpe-conf gplcver gpstrans grace grass gridengine grmonitor gtk+extra2 gtk-imonc htdig hypermail ifmail insight ircd-hybrid ircii ircd-ratbox kasablanca kover l2tpns lcd4linux lesstif2 libcdk5 libgsl-ruby liblunar libpar-packer-perl libsmi libstatgrab logtool lopster ltp luola mafft man2html mapserver med-fichier micro-evtd mindi-busybox mod-bt mondo mozart mp3rename mp3splt mrpt multi-aterm mysql-gui-tools nap ncmpc ncbi-tools6 netatalk nws oftc-hybrid ogdi-dfsg openmx osdsh osiris owl packit paraview pari pcsx pcsx-df pennmush penguin-command player plib pload plotmtv pocketpc-gas pocketpc-binutils prismstumbler psemu-video-x11 psqlodbc qpopper restartd rockdodger root-system rudiments screader scummvm sextractor sidplay sidplay-libs sip-tester slony1 smsclient sqlrelay starfighter swish-e symmetrica tack tcpick tcptrack tetrinetx tgif tightvnc timidity tn5250 trueprint uclmmbase ude uim unicon uucpsend varkon vbpp user-mode-linux vdr-plugin-weather vdr-plugin-xineliboutput viruskiller vrflash vtk vzquota w-bassman wayv welcome2l wmfrog xabacus xball xawtv xbill xcircuit xfce4-mpc-plugin xenomai xgalaga xmcd xpilot-ng xxgdb yap yasm z88dk mplayer vlc xtrkcad apache2 apr ekiga esound fetchmail ggz-server krb5 lirc opal quagga vim wacom-tools webkit aqualung arrayprobe boinc calcurse centerim cfs cpqarrayd eggdrop ffmpeg2theora fluxconf geany glide gpsd gtklp jpilot libtrace3 mlt naim pavuk procinfo pure-ftpd rudiments saods9 stopmotion unworkable user-mode-linux wireshark wmnet xlockmore xosview
Daniel Leidert (dale) <[email protected]> gabedit (U) Laszlo Boszormenyi (GCS) <[email protected]> cdw sidplay sidplay-libs Adam Cécile (Le_Vert) <[email protected]> aqualung audacious-plugins (U) Masayuki Hatta (mhatta) <[email protected]> abiword ebview insight Dario Minnucci (midget) <[email protected]> echoping Nicolas FRANCOIS (Nekral) <[email protected]> shadow (U) Stefan Hornburg (Racke) <[email protected]> pure-ftpd J.H.M. Dassen (Ray) <[email protected]> scrollkeeper (U) Marco Presi (Zufus) <[email protected]> python-numpy (U) Jari Aalto <[email protected]> wmfrog Tim Abbott <[email protected]> symmetrica Moray Allan <[email protected]> gpe-conf (U) Russ Allbery <[email protected]> krb5 (U) Bill Allombert <[email protected]> pari Per Andersson <[email protected]> micro-evtd Domenico Andreoli <[email protected]> curl Kumar Appaiah <[email protected]> python-numpy (U) Hakan Ardo <[email protected]> binutils-avr gdb-avr Ben Armstrong <[email protected]> xpilot-ng Anibal Avelar <[email protected]> centerim Michael Banck <[email protected]> gridengine (U) Karl Bartel <[email protected]> black-box penguin-command Andreas Barth <[email protected]> db4.2 (U) Daniel Baumann <[email protected]> tack Christian Bayle <[email protected]> gatos Bradley Bell <[email protected]> gtk+extra2 Christoph Berg <[email protected]> oftc-hybrid Sylvain Beucler <[email protected]> freedink (U) Stephen Birch <[email protected]> xball Julien BLACHE <[email protected]> sane-backends Phil Blundell <[email protected]> prismstumbler Phil Blundell <[email protected]> gpe-conf (U) A. Maitland Bottoms <[email protected]> vtk Gonéri Le Bouder <[email protected]> barrage (U) starfighter (U) Fathi Boudra <[email protected]> kasablanca (U) Joachim Breitner <[email protected]> osdsh Ludovic Brenta <[email protected]> gnat-gps Rogério Brito <[email protected]> avr-evtd Paul Brossier <[email protected]> kino Matt Brown <[email protected]> libtrace3 Cyril Brulebois <[email protected]> blender desmume (U) Ansgar Burchardt <[email protected]> gmult (U) Krzysztof Burghardt <[email protected]> xawtv Daniel Burrows <[email protected]> criticalmass Paul Cager <[email protected]> afnix Ondrej Certik <[email protected]> openmx (U) paraview (U) python-numpy (U) Emmanuel le Chevoir <[email protected]> fluxconf Christian Holm Christensen <[email protected]> root-system Adam Conrad <[email protected]> apache2 (U) db4.2 (U) Arnaud Cornet <[email protected]> ircd-ratbox Leo Costela <[email protected]> tcptrack Marco d'Itri <[email protected]> ifmail Joost Yervante Damad <[email protected]> timidity wireshark (U) Julien Danjou <[email protected]> tetrinetx LI Daobing <[email protected]> liblunar Debian ACE+TAO maintainers <[email protected]> ace Debian Apache Maintainers <[email protected]> apache2 apr apr-util Debian Audacious Packagers <[email protected]> audacious-plugins Debian Berkeley DB Maintainers <[email protected]> db4.2 Debian BOINC Maintainers <[email protected]> boinc Debian Evolution Maintainers <[email protected]> evolution-data-server Debian Games Team <[email protected]> barrage billard-gl desmume freedink gmult plib (U) starfighter xbill xgalaga Debian GCC Maintainers <[email protected]> gcc-3.3 gcc-3.4 gcc-4.1 gcc-4.2 gcc-4.3 gcc-snapshot Debian GGZ Maintainers <[email protected]> ggz-client-libs ggz-server Debian GIS Project <[email protected]> gdal gmt grass mapserver ogdi-dfsg Debian GNOME Maintainers <[email protected]> ekiga (U) scrollkeeper (U) Debian GPE team <[email protected]> gpe-conf (U) Debian Grid Engine Maintainers <[email protected]> gridengine Debian KDE Extras Team <[email protected]> kasablanca Debian multimedia packages maintainers <[email protected]> vlc Debian MySQL Maintainers <[email protected]> mysql-dfsg-5.0 Debian Nagios Maintainer Group <[email protected]> nagios-plugins Debian Perl Group <[email protected]> libpar-packer-perl Debian Python Modules Team <[email protected]> python-numpy Debian Qt/KDE Maintainers <[email protected]> kdeedu Debian Ruby Extras Maintainers <[email protected]> libgsl-ruby (U) Debian Scientific Computing Team <[email protected]> openmx paraview Debian VDR Team <[email protected]> vdr-plugin-weather vdr-plugin-xineliboutput Debian Vim Maintainers <[email protected]> vim Debian VoIP Team <[email protected]> opal Debian WebKit Maintainers <[email protected]> webkit Debian Xfce Maintainers <[email protected]> xfce4-mpc-plugin Debian-Med Packaging Team <[email protected]> ctn mafft Debichem Team <[email protected]> gabedit Barry deFreese <[email protected]> barrage (U) billard-gl (U) gmult (U) xbill (U) Murat Demirten <[email protected]> ettercap Mattia Dongili <[email protected]> user-mode-linux (U) Ludovic Drolez <[email protected]> swish-e Bernd Eckenfels <[email protected]> ircii Mark W. Eichin <[email protected]> owl Peter Eisentraut <[email protected]> ggz-client-libs (U) ggz-server (U) psqlodbc slony1 Zak B. Elep <[email protected]> gtklp Rene Engelhard <[email protected]> kover Carey Evans <[email protected]> tn5250 Alexandre Fayolle <[email protected]> python-numpy (U) Bartosz Fenski <[email protected]> billard-gl (U) calcurse libstatgrab starfighter (U) Fetchmail Maintainers <[email protected]> fetchmail Sean Finney <[email protected]> mysql-dfsg-5.0 (U) nagios-plugins (U) José Fonseca <[email protected]> python-numpy (U) Pedro Fragoso <[email protected]> evolution-data-server (U) Stefan Fritsch <[email protected]> apache2 (U) apr (U) apr-util (U) Bdale Garbee <[email protected]> xtrkcad Hector Garcia <[email protected]> fetchmail (U) mindi-busybox (U) mondo (U) David Moreno Garza <[email protected]> gcolor2 (U) Ionut Georgescu <[email protected]> grace RISKO Gergely <[email protected]> ffmpeg2theora Pascal Giard <[email protected]> desmume (U) Thomas Girard <[email protected]> ace (U) Oystein Gisnas <[email protected]> evolution-data-server (U) Kevin Glynn <[email protected]> mozart Rudy Godoy <[email protected]> xfce4-mpc-plugin (U) John Goerzen <[email protected]> libcdk5 Nico Golde <[email protected]> fetchmail (U) Evgeni Golov <[email protected]> desmume (U) Andreas "Jimmy" Gredler <[email protected]> gcom Tobias Grimm <[email protected]> vdr-plugin-xineliboutput (U) Tobias Grimm <[email protected]> vdr-plugin-weather (U) Debian QA Group <[email protected]> adplug gamix gdb-m68hc1x gtk-imonc htdig mp3splt pload plotmtv saods9 sqlrelay tcpick tgif ude varkon vbpp xmcd Yu Guanghui <[email protected]> chinput unicon Aurélien GÉRÔME <[email protected]> restartd Aurélien GÉRÔME <[email protected]> ircd-hybrid (U) Thomas Günther <[email protected]> vdr-plugin-weather (U) vdr-plugin-xineliboutput (U) Henrique Haas <[email protected]> trueprint Pierre Habouzit <[email protected]> vim (U) Steve Halasz <[email protected]> gdal (U) grass (U) Christian Hammers <[email protected]> mysql-dfsg-5.0 (U) quagga quagga (U) Sebastian Harl <[email protected]> ncmpc Sam Hartman <[email protected]> barnowl krb5 Tollef Fog Heen <[email protected]> apache2 (U) apr (U) apr-util (U) Heikki Henriksen <[email protected]> evolution-data-server (U) Uwe Hermann <[email protected]> amideco M. Alex Hermosilla <[email protected]> multi-aterm gregor herrmann <[email protected]> libpar-packer-perl (U) Mike Hommey <[email protected]> webkit (U) Simon Huggins <[email protected]> xfce4-mpc-plugin (U) Mark Hymers <[email protected]> gridengine (U) Ervin Hearn III <[email protected]> pennmush Giuseppe Iuculano <[email protected]> procinfo Damyan Ivanov <[email protected]> libpar-packer-perl (U) Shaun Jackman <[email protected]> pocketpc-binutils pocketpc-gas Daniel Jacobowitz <[email protected]> binutils (U) gdb Michael Janssen <[email protected]> player Aurelien Jarno <[email protected]> med-fichier Joerg Jaspert <[email protected]> epiphany Steffen Joeris <[email protected]> dc-qt Matthew Johnson <[email protected]> lirc (U) LaMont Jones <[email protected]> 4g8 packit Guillem Jover <[email protected]> bochs glide Morten Kjeldgaard <[email protected]> cbflib Matthias Klose <[email protected]> binutils curl (U) gcc-3.3 (U) gcc-3.4 (U) gcc-4.1 (U) gcc-4.2 (U) gcc-4.3 (U) gcc-snapshot (U) isdnutils (U) python-numpy (U) rudiments Daniel Kobras <[email protected]> dx Alexander Kotelnikov <[email protected]> fvwm (U) Kilian Krause <[email protected]> ekiga opal (U) Joshua Kwan <[email protected]> abiword (U) ircd-hybrid Noèl Köthe <[email protected]> gdis lftp Torsten Landschoff <[email protected]> gmt (U) Mario Lang <[email protected]> espeak screader Steve Langasek <[email protected]> unixodbc Martin Lazar <[email protected]> wmnet Ron Lee <[email protected]> cpad-kernel wacom-tools Andree Leidenfrost <[email protected]> mindi-busybox mondo Faidon Liambotis <[email protected]> opal (U) Stefan Lippers-Hollmann <[email protected]> lirc (U) lirc Maintainer Team <[email protected]> lirc Arthur Loiret <[email protected]> binutils-m68hc1x gcc-m68hc1x Ana Beatriz Guerrero Lopez <[email protected]> kdeedu (U) Martin Loschwitz <[email protected]> xfce4-mpc-plugin (U) Francesco P. Lovergine <[email protected]> gmt (U) Francesco Paolo Lovergine <[email protected]> gdal (U) grass (U) mapserver (U) ogdi-dfsg (U) Robert Luberda <[email protected]> afterstep dwww man2html welcome2l Ola Lundqvist <[email protected]> dact (U) tightvnc vzquota xabacus (U) Tyler 'Crackerjack' MacDonald <[email protected]> mod-bt Pierre Machard <[email protected]> mozart (U) Camm Maguire <[email protected]> gcl gclcvs Adam Majer <[email protected]> mysql-gui-tools Jose Luis Blanco (University of Malaga) <[email protected]> mrpt Jordi Mallach <[email protected]> evolution-data-server (U) Lionel Elie Mamane <[email protected]> xabacus (U) Margarita Manterola <[email protected]> evolution-data-server (U) Margarita Manterola <[email protected]> xcircuit Konstantinos Margaritis <[email protected]> ace (U) Christian Marillat <[email protected]> cricket mlt mplayer Bart Martens <[email protected]> bomberclone rockdodger Christoph Martin <[email protected]> boinc (U) Patrick Matthäi <[email protected]> mlt (U) Thom May <[email protected]> apache2 (U) Jonathan McDowell <[email protected]> l2tpns smsclient Steve McIntyre <[email protected]> nas Jose Carlos Medeiros <[email protected]> dact xabacus Remco van de Meent <[email protected]> libsmi Michael Meskes <[email protected]> kasablanca (U) Loic Minier <[email protected]> ekiga (U) evolution-data-server (U) scrollkeeper (U) vlc (U) Kartik Mistry <[email protected]> xosview Atsushi Mitsuka <[email protected]> canna Steffen Moeller <[email protected]> boinc (U) Ricardo Mones <[email protected]> epiphany (U) David Martínez Moreno <[email protected]> uclmmbase Daigo Moriwaki <[email protected]> libgsl-ruby Josselin Mouette <[email protected]> ekiga (U) Ryan Murray <[email protected]> esound Christophe Mutricy <[email protected]> vlc (U) Sven Müller <[email protected]> lirc (U) Francesco Namuri <[email protected]> lopster Brian Nelson <[email protected]> ace (U) Bjoern Erik Nilsen <[email protected]> stopmotion Jan Christoph Nordholz <[email protected]> hypermail Masahito Omote <[email protected]> uim Sam Hocevar (Debian packages) <[email protected]> genesis lesstif2 starfighter (U) vlc (U) yasm Kari Pahula <[email protected]> crossfire Jiri Palecek <[email protected]> ltp David Paleino <[email protected]> mafft (U) Gerrit Pape <[email protected]> cfs Guilherme de S. Pastore <[email protected]> eggdrop Javier Fernandez-Sanguino Pen~a <[email protected]> cal Víctor Pérez Pereira <[email protected]> grmonitor Yves-Alexis Perez <[email protected]> evolution-data-server (U) xfce4-mpc-plugin (U) Christian Perrier <[email protected]> shadow (U) Frederic Peters <[email protected]> gaby wireshark Rohit Pidaparthi <[email protected]> naim William Pitcock <[email protected]> qpopper William Pitcock <[email protected]> audacious-plugins (U) Charles Plessy <[email protected]> mafft (U) Christophe Prud'homme <[email protected]> openmx (U) paraview (U) Justin Pryzby <[email protected]> sextractor Mark Purcell <[email protected]> kasablanca (U) mp3rename opal (U) Andreas Putzo <[email protected]> mapserver (U) Martin Quinson <[email protected]> nws shadow (U) Florian Ragwitz <[email protected]> viruskiller Thierry Reding <[email protected]> billard-gl (U) Petter Reinholdtsen <[email protected]> gdal (U) mapserver (U) Sebastian Rittau <[email protected]> netatalk (U) Jose Luis Rivas <[email protected]> xscreensaver Emanuele Rocca <[email protected]> xfce4-mpc-plugin (U) Roland Rosenfeld <[email protected]> emil Piotr Roszatycki <[email protected]> z88dk (U) Ludovic Rousseau <[email protected]> jpilot Nick Rusnov <[email protected]> wayv Peter Samuelson <[email protected]> apache2 (U) apr (U) Hendrik Sattler <[email protected]> libopenobex Daniel Schepler <[email protected]> kdeedu (U) Alexander Schmehl <[email protected]> starfighter (U) Thomas Schmidt <[email protected]> vdr-plugin-weather (U) vdr-plugin-xineliboutput (U) Andreas Schuldei <[email protected]> curl (U) Ryan Schultz <[email protected]> pcsx-df psemu-video-x11 Joey Schulze <[email protected]> xxgdb Martin Schulze <[email protected]> uucpsend Riccardo Setti <[email protected]> evolution-data-server (U) Shadow package maintainers <[email protected]> shadow Gustavo Noronha Silva <[email protected]> scrollkeeper (U) Guus Sliepen <[email protected]> blobandconquer blobwars Paul Slootman <[email protected]> isdnutils isdnutils (U) Jonas Smedegaard <[email protected]> netatalk netatalk (U) vrflash Bradley Smith <[email protected]> gnuchess gnuplot Bradley Smith <[email protected]> plib scrollkeeper Jose Carlos Garcia Sogo <[email protected]> ekiga (U) Carlos C Soto <[email protected]> gcolor2 Josef Spillner <[email protected]> ggz-client-libs (U) ggz-server (U) Manoj Srivastava <[email protected]> fvwm fvwm (U) Michael Stapelberg <[email protected]> unworkable Christian T. Steigies <[email protected]> bumprace luola Clément Stenac <[email protected]> vlc (U) Roland Stigge <[email protected]> xenomai Michael Stone <[email protected]> xlockmore Philippe De Swert <[email protected]> gpe-conf (U) Matt Taggart <[email protected]> arrayprobe cpqarrayd Reinhard Tartler <[email protected]> desmume (U) lcd4linux Michael Tautschnig <[email protected]> binutils-h8300-hms Monty Taylor <[email protected]> mysql-dfsg-5.0 (U) Frank S. Thomas <[email protected]> boinc (U) Andreas Tille <[email protected]> ctn (U) Gerhard Tonn <[email protected]> gcc-3.3 (U) gcc-3.4 (U) Fabio Tranchitella <[email protected]> gdal (U) mapserver (U) Ralf Treinen <[email protected]> yap Norbert Tretkowski <[email protected]> mysql-dfsg-5.0 (U) Guido Trotter <[email protected]> nagios-plugins (U) James Troup <[email protected]> binutils (U) Niko Tyni <[email protected]> libpar-packer-perl (U) Aaron M. Ucko <[email protected]> ncbi-tools6 User Mode Linux Maintainers <[email protected]> user-mode-linux James Vega <[email protected]> vim (U) Wouter Verhelst <[email protected]> logtool Damián Viano <[email protected]> geany Tormod Volden <[email protected]> xscreensaver (U) Sune Vuorela <[email protected]> kdeedu (U) Jan Wagner <[email protected]> nagios-plugins (U) Florian Weimer <[email protected]> quagga (U) Florian Weimer <[email protected]> db4.2 (U) David Weinehall <[email protected]> scummvm Torsten Werner <[email protected]> grace (U) Matthew Wilcox <[email protected]> db4.2 (U) Jamie Wilkinson <[email protected]> osiris Neil Williams <[email protected]> gpe-conf gtk+extra2 (U) Alexander Wirt <[email protected]> nagios-plugins (U) Paul Wise <[email protected]> gdal (U) mapserver (U) xgalaga (U) Krystian Wlosek <[email protected]> z88dk ARAKI Yasuhiro <[email protected]> sip-tester NIIBE Yutaka <[email protected]> gplcver Oohara Yuuma <[email protected]> w-bassman Stefano Zacchiroli <[email protected]> vim (U) James R. Van Zandt <[email protected]> gpstrans Bernd Zeimetz <[email protected]> gpsd Massimo Dal Zotto <[email protected]> nap Petr Čech <[email protected]> pavuk
