On Fri, Sep 05, 2003 at 04:47:30PM +0200, Frank Lichtenheld wrote: > I recently adopted the magpie package (It reads in Packages files and > produces HTML output) > > It was un/undermaintained a long time and has no separate upstream. > While looking in the code to fix some outstanding bugs I found > several code pieces like > > char path[256]; > sprintf( path, "some string/%s", packagename); > > There are no further checks as I can see. I'm not very experienced in C > programming and don't know much about the details of exploiting buffer > overflows or the like... > > Is such code (away from the fact that it can easily lead to segfaults) a > security problem?
If the data in "packagename" comes from an untrusted source (for example, a file downloaded from a remote system), then yes, this represents a vulnerability. If the data is trusted (for example, a command-line argument supplied by the user, where the program is running under the user's privileges), then it does not represent a vulnerability. Regardless, they are bugs and sloppy code and should be fixed. Usually the most straightforward fix is to replace unbounded operations such as sprintf and strcpy with bounded ones such as snprintf and strncpy. -- - mdz
