oss-security - Re: Nagios format string issues

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <Pine.GSO.4.64.1010061138200.25305@faron.mitre.org>
Date: Wed, 6 Oct 2010 11:40:49 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: Nagios format string issues

On Wed, 6 Oct 2010, Josh Bressers wrote:

> ----- "Oden Eriksson" <oeriksson@...driva.com> wrote:
>
>>
>> Just checked the ones I fixed (in 2008/2009):
>>
>> $ rpm -qlp /SRPMS/contrib/release/*.rpm /SRPMS/main/release/*.rpm |
>> grep
>> format_not_a_string_literal_and_no_format_arguments | wc -l
>> 106
>>
>> So, at least 106 new CVE assignments there.
>>
>>
>
> It's probably not 106. Just becuase something isn't using format arguments
> doesn't mean it's a security flaw. Some subset of these probably could be
> considered security flaws though.

I agree.  Closer inspection is necessary.  Some of these variables could 
be hard-coded constants.  Sounds like there could be a lot, though.

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.