[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Possible vulnerability in csplit
From: |
Pádraig Brady |
Subject: |
Re: Possible vulnerability in csplit |
Date: |
Mon, 06 May 2013 12:09:03 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 05/06/2013 05:41 AM, Kapil Anand wrote:
> Hi,
>
> I work in information flow analysis of programs and my analysis gave a
> possible warning with respect to format string vulnerability in csplit
> (Version 8.17).
>
> In csplit, there is a global variable called "suffix" which is initialized
> through a command line argument in function main
>
> /suffix = optarg/
>
> Next, this variable is used as a format argument in a sprintf call in
> function make_filename.
>
> /sprintf (filename_space + strlen (prefix), suffix, num)/
>
> Our analysis flagged this behavior.
>
> However, we are not sure whether Coreutil developers are aware of this
> behaviour. This might very well be a false positive. We just wanted to
> confirm our analysis.
>
> Any response in this regard will be appreciated.
Thanks for your analysis.
You're correct that the printf format is set externally,
however there is validation before use in max_out() and
check_format_conv_type(). So it seems that the current
code is safe.
thanks,
Pádraig.