On Wed, Dec 04, 2013 at 11:56:23PM +0100, Brendan Jones wrote: > Patching is not a problem. Unnecessary is the question. Explain to > me (not you in particular Rahul) how these printf's can possibly be > exploited?
To expand on my earlier mail: the printf usage in hydrogen is definitely horribly wrong. Basically all logging output is passed through these calls and might contain data from all kinds of sources, be it file names or various metadata. Want to see it crash? Crank up the log level (-VInfo does it) and pick "save library" from the menu. Enter some printf format specifiers (%s or something) in the name or author field. Segmentation fault (core dumped) Oops. Valgrind had this to say: > Process terminating with default action of signal 11 (SIGSEGV) > General Protection Fault > at 0x863508F: vfprintf (vfprintf.c:1635) > by 0x86F0600: __printf_chk (printf_chk.c:35) > by 0x584360: loggerThread_func(void*) (stdio2.h:104) > by 0x4E38F32: start_thread (pthread_create.c:309) > by 0x86E0EAC: clone (clone.S:111) loggerThread_func? You'll find that in object.cpp. The crashing printf call is on line 242. But you know that already, as Dhiru wrote it in the bug report for your package. I'm sure someone more determined than me might find all sorts of ways to make use of these flaws that are not in the interest of hydrogen's users. Lars -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
