Dear all, there is a potential attack vector, and easily avoidable, in "lib/argp-parser.c" of GNUlib. This came to my attention by the modifications Guillem Jover [1] does to GNU Inetutils' source archives. The relevant change is reproduced below. (Yes, I will act myself on all those changes that only concern our own source!)
The problem is that the result of dgettext() is fed directly as format string into __argp_error(). A benevolent translator would produce a constant string without format escapes, but I know from practice that the depreciated format "%q" will cause OpenSolaris to segfault, so a malevolent attacker could in fact cause some damage. Best regards, Mats Erik Andersson [1] http://patch-tracker.debian.org/patch/series/dl/inetutils/2:1.9-1/71_ftbfs_format_security.patch diff --git a/lib/argp-parse.c b/lib/argp-parse.c index 39b8336..d9f08b6 100644 --- a/lib/argp-parse.c +++ b/lib/argp-parse.c @@ -154,7 +154,7 @@ argp_version_parser (int key, char *arg, struct argp_state *state) else if (argp_program_version) fprintf (state->out_stream, "%s\n", argp_program_version); else - __argp_error (state, dgettext (state->root_argp->argp_domain, + __argp_error (state, "%s", dgettext (state->root_argp->argp_domain, "(PROGRAM ERROR) No version known!?")); if (! (state->flags & ARGP_NO_EXIT)) exit (0);