X2Go Bug report logs - #777
nx-libs: incorrect usage of scanf

version graph

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Heinrich Schuchardt <xypron.glpk@gmx.de>

Date: Fri, 30 Jan 2015 19:40:01 UTC

Severity: normal

Found in version head

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #10 received at 777@bugs.x2go.org (full text, mbox, reply):

Received: (at 777) by bugs.x2go.org; 31 Jan 2015 15:04:23 +0000
From mike.gabriel@das-netzwerkteam.de  Sat Jan 31 16:04:22 2015
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 03E103BC90
	for <777@bugs.x2go.org>; Sat, 31 Jan 2015 16:04:22 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 728CAC8B;
	Sat, 31 Jan 2015 16:04:21 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 65A843BA82;
	Sat, 31 Jan 2015 16:04:21 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vOmLeurzp8oU; Sat, 31 Jan 2015 16:04:21 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 3AB923B9F8;
	Sat, 31 Jan 2015 16:04:21 +0100 (CET)
Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de
 [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Sat, 31 Jan 2015 15:04:21 +0000
Date: Sat, 31 Jan 2015 15:04:21 +0000
Message-ID: <20150131150421.Horde.WB6ssWsHGA2VI15ElwEPlg1@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>, 777@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#777: nx-libs: incorrect usage of scanf
In-Reply-To: <54CBDD19.8090103@gmx.de>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 178.62.101.154
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101
 Firefox/32.0 Iceweasel/32.0
Content-Type: multipart/signed; boundary="=_RmNR-BiofksTWcXyuSgpsA9";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Hi Heinrich,

On  Fr 30 Jan 2015 20:35:53 CET, Heinrich Schuchardt wrote:

> package: nx-libs
> version: head
>
> In different parts of the nx-libs library you can find usages of scanf like
>
>    /* check for MESA_GAMMA environment variable */
>    gamma = _mesa_getenv("MESA_GAMMA");
>    if (gamma) {
>       v->RedGamma = v->GreenGamma = v->BlueGamma = 0.0;
>       sscanf( gamma, "%f %f %f", &v->RedGamma, &v->GreenGamma,
> &v->BlueGamma );
>
> According to cppcheck:
>
> scanf without field width limits can crash with huge input data on libc
> versions older than 2.13-25. Add a field width specifier to fix this
> problem:
>     %i => %3i

Any chance you could also provide a patch for this?

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 14:59:21 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.