|
Check-in Number:
|
3125 | |
| Date: |
2003-Jan-30 20:18:57 (local)
2003-Jan-30 19:18:57 (UTC) |
| User: | rse |
| Branch: | |
| Comment: |
Fix a big security hole: the l2_spec() is a varargs function which gets
a format string and variable arguments. In case only a fixed string is
used we have to use "%s" as the format string or else "%x" in the string
is treated like a formatter (and hence cause a segfault or whatever
else if it tries to fetch args from the stack). This especially also no
longer requires the formatting constricts to be written %%X... |
| Tickets: |
|
| Inspections: |
|
| Files: |
|
ossp-pkg/lmtp2nntp/00TODO 1.61 -> 1.62
--- 00TODO 2002/07/29 11:39:43 1.61
+++ 00TODO 2003/01/30 19:18:57 1.62
@@ -76,26 +76,5 @@
potential to merge post/header modes -h [Newsgroups:${_EnvelopeRCPT}\n]
-===================================================================
-RCS file: /e/ossp/cvs/ossp-pkg/fsl/fsl.c,v
-retrieving revision 1.22
-retrieving revision 1.21
-diff -r1.22 -r1.21
-341c341
-< if ((l2rv = l2_spec(&ch, ctx.l2_fslenv, "%s", argl2spec)) != L2_OK) {
----
-> if ((l2rv = l2_spec(&ch, ctx.l2_fslenv, argl2spec)) != L2_OK) {
-513c513
-< if ((l2rv = l2_spec(&ch, ctx.l2_env, "%s", argl2spec)) != L2_OK) {
----
-> if ((l2rv = l2_spec(&ch, ctx.l2_env, argl2spec)) != L2_OK) {
-
-Fix a big security hole: the l2_spec() is a varargs function which gets
-a format string and variable arguments. In case only a fixed string is
-used we have to use "%s" as the format string or else "%x" in the string
-is treated like a formatter (and hence cause a segfault or whatever
-else if it tries to fetch args from the stack). This especially also no
-longer requires the formatters to be written %%X...
-
- consider using lib_cfg for configuration file parsing
+ consider using lib_cfg for configuration file parsing
|
|
ossp-pkg/lmtp2nntp/lmtp2nntp_config.c 1.86 -> 1.87
--- lmtp2nntp_config.c 2003/01/30 15:19:55 1.86
+++ lmtp2nntp_config.c 2003/01/30 19:18:57 1.87
@@ -158,7 +158,7 @@
fprintf(stderr, "%s:Error: logging failed to configure \"%s\" channel\n", ctx->progname, l2_handler_var.name);
CU(CONFIG_ERR_LOG);
}
- if ((l2_spec(&ch, ctx->l2_env, ov->data.s)) != L2_OK) {
+ if ((l2_spec(&ch, ctx->l2_env, "%s", ov->data.s)) != L2_OK) {
fprintf(stderr, "%s:Error: logging failed to create stream\n", ctx->progname);
CU(CONFIG_ERR_LOG);
}
|
|
ossp-pkg/lmtp2nntp/test.sh 1.13 -> 1.14
--- test.sh 2002/03/04 15:54:28 1.13
+++ test.sh 2003/01/30 19:18:57 1.14
@@ -16,10 +16,10 @@
Message-Id: <200108141251.f7ECpmn74812@dev.de.cw.net>
From: Thomas Lotterer <Thomas.Lotterer@example.com>
Received: from cw.example.com (cw.example.com [10.1.1.32])
- by gateway.example.com (8.9.2/8.9.2/$Revision: 1.13 $) with SMTP id NAA08840
+ by gateway.example.com (8.9.2/8.9.2/$Revision: 1.14 $) with SMTP id NAA08840
for <thomas.lotterer@gateway.example.com>; Mon, 2 Apr 2001 13:20:25 +0200 (MET DST)
Received: from history (history.example.org [195.143.102.41])
- by cw.example.com (8.11.0/8.11.0/$Revision: 1.13 $) with ESMTP id f32BKPb12235
+ by cw.example.com (8.11.0/8.11.0/$Revision: 1.14 $) with ESMTP id f32BKPb12235
for <thomas.lotterer@example.com>; Mon, 2 Apr 2001 13:20:25 +0200
Received: from example.org (littlemua.example.org [195.143.103.160])
by history (8.8.8/8.8.8) with ESMTP id LAA12678;
@@ -79,7 +79,7 @@
L2CONF="${PREFIX}logspec"
L2FILE="${PREFIX}log"
- L2SPEC="'debug: prefix(prefix=\"%%b %%d %%H:%%M:%%S <%%L> lmtp2nntp[%%P]: \",timezone=local) -> file(path=\"${L2FILE}\",append=0,perm=432)'"
+ L2SPEC="'debug: prefix(prefix=\"%b %d %H:%M:%S <%L> lmtp2nntp[%P]: \",timezone=local) -> file(path=\"${L2FILE}\",append=0,perm=432)'"
echo >${L2CONF} "l2spec ${L2SPEC}"
LOG="-i ${L2CONF}"
|
|
