coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible vulnerability in csplit


From: Pádraig Brady
Subject: Re: Possible vulnerability in csplit
Date: Mon, 06 May 2013 12:09:03 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2

On 05/06/2013 05:41 AM, Kapil Anand wrote:
> Hi, 
> 
> I work in information flow analysis of programs and my analysis gave a 
> possible warning with respect to format string vulnerability in csplit 
> (Version 8.17). 
> 
> In csplit, there is a global variable called "suffix" which is initialized 
> through a command line argument in function main
> 
> /suffix = optarg/
> 
> Next, this variable is used as a format argument in a sprintf call in 
> function make_filename.
> 
> /sprintf (filename_space + strlen (prefix), suffix, num)/
> 
> Our analysis flagged this behavior. 
> 
> However, we are not sure whether Coreutil developers are aware of this 
> behaviour. This might very well be a false positive. We just wanted to 
> confirm our analysis.
> 
> Any response in this regard will be appreciated.

Thanks for your analysis.
You're correct that the printf format is set externally,
however there is validation before use in max_out() and
check_format_conv_type().  So it seems that the current
code is safe.

thanks,
Pádraig.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]