Re: Possible vulnerability in csplit

coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible vulnerability in csplit

From:	Pádraig Brady
Subject:	Re: Possible vulnerability in csplit
Date:	Mon, 06 May 2013 12:09:03 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2

On 05/06/2013 05:41 AM, Kapil Anand wrote:
> Hi, 
> 
> I work in information flow analysis of programs and my analysis gave a 
> possible warning with respect to format string vulnerability in csplit 
> (Version 8.17). 
> 
> In csplit, there is a global variable called "suffix" which is initialized 
> through a command line argument in function main
> 
> /suffix = optarg/
> 
> Next, this variable is used as a format argument in a sprintf call in 
> function make_filename.
> 
> /sprintf (filename_space + strlen (prefix), suffix, num)/
> 
> Our analysis flagged this behavior. 
> 
> However, we are not sure whether Coreutil developers are aware of this 
> behaviour. This might very well be a false positive. We just wanted to 
> confirm our analysis.
> 
> Any response in this regard will be appreciated.

Thanks for your analysis.
You're correct that the printf format is set externally,
however there is validation before use in max_out() and
check_format_conv_type().  So it seems that the current
code is safe.

thanks,
Pádraig.

[Prev in Thread]

Current Thread

[Next in Thread]

Possible vulnerability in csplit, Kapil Anand, 2013/05/06
- Re: Possible vulnerability in csplit, Pádraig Brady <=

Prev by Date: Possible vulnerability in csplit
Next by Date: Re: [PATCH] id: show SMACK security context
Previous by thread: Possible vulnerability in csplit
Next by thread: Re: Add --parents option to mv command in order to create parents directories
Index(es):
- Date
- Thread