[sane-backends] use string literals as format strings (#1037316)
Nils Philippsen
nphilipp at fedoraproject.org
Wed Dec 4 14:27:15 UTC 2013
commit c49ab916be4264b5fe8adaca570ac43472433d50
Author: Nils Philippsen <nils at redhat.com>
Date: Wed Dec 4 15:27:07 2013 +0100
use string literals as format strings (#1037316)
sane-backends-1.0.24-format-security.patch | 139 ++++++++++++++++++++++++++++
sane-backends.spec | 7 +-
2 files changed, 145 insertions(+), 1 deletions(-)
---
diff --git a/sane-backends-1.0.24-format-security.patch b/sane-backends-1.0.24-format-security.patch
new file mode 100644
index 0000000..89defc3
--- /dev/null
+++ b/sane-backends-1.0.24-format-security.patch
@@ -0,0 +1,139 @@
+From d1c0b7d119bb9dd2c51143b44cc86a369f453746 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Wed, 4 Dec 2013 15:21:19 +0100
+Subject: [PATCH] patch: format-security
+
+Squashed commit of the following:
+
+commit 19e071b9f6d477462a0f4afbbd17acd15268ddfa
+Author: Nils Philippsen <nils at redhat.com>
+Date: Wed Dec 4 15:04:12 2013 +0100
+
+ avoid using string formats insecurely with "-f"
+
+ In the process, simplify processing the device list format: don't copy
+ the format string for writing \0 into it, just iterate over chunks in
+ the original string.
+
+ (cherry picked from commit 8082a42ec4f3b3cf2cffc30a45dda5fc41d55576)
+---
+ frontend/scanimage.c | 52 ++++++++++++++++++++--------------------------------
+ 1 file changed, 20 insertions(+), 32 deletions(-)
+
+diff --git a/frontend/scanimage.c b/frontend/scanimage.c
+index d41c849..9e1bcfb 100644
+--- a/frontend/scanimage.c
++++ b/frontend/scanimage.c
+@@ -1826,23 +1826,16 @@ main (int argc, char **argv)
+ else
+ {
+ int i = 0, int_arg = 0;
+- char *percent, *start, *fmt;
++ const char *percent, *start;
+ const char *text_arg = 0;
+- char cc, ftype;
+-
+- fmt = malloc (strlen (optarg) + 1);
+- if (fmt == 0)
+- {
+- fprintf (stderr, "%s: not enough memory\n", prog_name);
+- exit (1);
+- }
++ char ftype;
+
+ for (i = 0; device_list[i]; ++i)
+ {
+- strcpy (fmt, optarg);
+- start = fmt;
++ start = optarg;
+ while (*start && (percent = strchr (start, '%')))
+ {
++ int start_len = percent - start;
+ percent++;
+ if (*percent)
+ {
+@@ -1850,19 +1843,19 @@ main (int argc, char **argv)
+ {
+ case 'd':
+ text_arg = device_list[i]->name;
+- ftype = *percent = 's';
++ ftype = 's';
+ break;
+ case 'v':
+ text_arg = device_list[i]->vendor;
+- ftype = *percent = 's';
++ ftype = 's';
+ break;
+ case 'm':
+ text_arg = device_list[i]->model;
+- ftype = *percent = 's';
++ ftype = 's';
+ break;
+ case 't':
+ text_arg = device_list[i]->type;
+- ftype = *percent = 's';
++ ftype = 's';
+ break;
+ case 'i':
+ int_arg = i;
+@@ -1870,45 +1863,40 @@ main (int argc, char **argv)
+ break;
+ case 'n':
+ text_arg = "\n";
+- ftype = *percent = 's';
++ ftype = 's';
+ break;
+ case '%':
+- ftype = 0;
++ text_arg = "%";
++ ftype = 's';
+ break;
+ default:
+ fprintf (stderr,
+ "%s: unknown format specifier %%%c\n",
+ prog_name, *percent);
+- *percent = '%';
+- ftype = 0;
++ text_arg = "%";
++ ftype = 's';
+ }
+- percent++;
+- cc = *percent;
+- *percent = 0;
++ printf ("%.*s", start_len, start);
+ switch (ftype)
+ {
+ case 's':
+- printf (start, text_arg);
++ printf ("%s", text_arg);
+ break;
+ case 'i':
+- printf (start, int_arg);
+- break;
+- case 0:
+- printf (start);
++ printf ("%i", int_arg);
+ break;
+ }
+- *percent = cc;
+- start = percent;
++ start = percent + 1;
+ }
+ else
+ {
+- /* last char of the string is a '%', suppress it */
+- *start = 0;
++ /* last char of the string is a '%', ignore it */
++ start++;
+ break;
+ }
+ }
+ if (*start)
+- printf (start);
++ printf ("%s", start);
+ }
+ }
+ if (i == 0 && ch != 'f')
+--
+1.8.4.2
+
diff --git a/sane-backends.spec b/sane-backends.spec
index 12c8782..6b975a4 100644
--- a/sane-backends.spec
+++ b/sane-backends.spec
@@ -37,7 +37,7 @@
Summary: Scanner access software
Name: sane-backends
Version: 1.0.24
-Release: 7%{?dist}
+Release: 8%{?dist}
# lib/ is LGPLv2+, backends are GPLv2+ with exceptions
# Tools are GPLv2+, docs are public domain
# see LICENSE for details
@@ -75,6 +75,8 @@ Patch5: sane-backends-1.0.24-pixma_bjnp-crash.patch
Patch6: sane-backends-1.0.24-static-code-check.patch
# Upstream commit 758731489d0d58bab6e4b70db9556038c9f4bb67
Patch7: sane-backends-1.0.24-scsi-permissions.patch
+# Upstream commit 8082a42ec4f3b3cf2cffc30a45dda5fc41d55576
+Patch8: sane-backends-1.0.24-format-security.patch
URL: http://www.sane-project.org
@@ -312,6 +314,9 @@ udevadm hwdb --update >/dev/null 2>&1 || :
%{_libdir}/sane/*gphoto2.so*
%changelog
+* Wed Dec 04 2013 Nils Philippsen <nils at redhat.com> - 1.0.24-8
+- use string literals as format strings (#1037316)
+
* Wed Nov 20 2013 Nils Philippsen <nils at redhat.com> - 1.0.24-7
- set correct permissions for SCSI devices (#1028549)
More information about the scm-commits
mailing list