[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [leafnode-list] make check fails for 1.9.36.rel - FAIL:

To: leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [leafnode-list] make check fails for 1.9.36.rel - FAIL:
From: Matthias Andree <ma@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 13 Apr 2003 22:57:58 +0200
In-reply-to: <3E996812.BeroList-2.5.9@wpxx02.toxi.uni-wuerzburg.de> (Günther Dietrich's message of "Sun, 13 Apr 2003 15:37:08 +0200")
Original-message-id: <m3wuhyt8rt.fsf@merlin.emma.line.org>
Reply-to: leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.090018 (Oort Gnus v0.18) Emacs/21.3 (gnu/linux)

Günther Dietrich <guenther.dietrich@xxxxxxxx> writes:

> On 2003-04-07, 13:26 Matthias Andree wrote:
>
> [`make check' -> `FAIL: xsnprintf']
>
>> (so I can tell what exactly is wrong), edit xsnprintf.c, find the line
>> "#ifdef VERBOSE" and add a line "#define VERBOSE 1" just before the
>> #ifdef line, and type "make xsnprintf" then "./xsnprintf" and report 
>> the
>> results.
>
> Now I got time to do this. The result is:
>
> |test 1 returned 1, string: "1"
>
> After reading the man page and studying the source code of xsnprintf.c I
> get a vague idea, why it complains. But I have no guess, what to do
> about it. Is it a bug in the library function?

Indeed it is.

The snprintf() library function should have placed a 0 byte to terminate
the string; instead, it has either emitted an unterminated string or
written past the buffer's end (buffer overrun). I don't currently test
which way it failed, and it's not important, because either way is wrong
and dangerous.

So, on your system, any software that relies on your libc's snprintf is
insecure.

You can cheat leafnode: leafnode ships its own snprintf() function for
systems that don't have one, and you can trick it into using that one
instead of your system's: First, unless you have already done so,
reconfigure with the config.cache enabled and in maintainer mode,
e. g. run ./configure -C --enable-maintainer-mode

Then edit config.cache: find the line

ac_cv_func_snprintf=${ac_cv_func_snprintf=yes}

and change it so that it reads

ac_cv_func_snprintf=${ac_cv_func_snprintf=no}

Then run ./config.status --recheck && make check

If make check passes the xsnprintf test, then you should be able to use
leafnode until you've got time to upgrade. But be aware that other
software you're running may not be secure, so this is really nothing
more than an interim solution, and it leaves other software vulnerable.

If you really need to be sure, run nm -s fetchnews leafnode | grep snp:
if it prints something like

0804ebb6 T snprintf
0804e9b0 T vsnprintf
08052dfe T xsnprintf
0804d67e T snprintf
0804d478 T vsnprintf
0805124a T xsnprintf

with the capital T and hex number then that's fine; if you however get
something with a U and without hex number on the left such as

         U snprintf@@GLIBC_2.0

it's still b0rked and the trick failed (I can't help you in that case).

Such systems should be bugfixed or updated as soon as possible.

-- 
Matthias Andree
leafnode-1 download: http://sourceforge.net/projects/leafnode/
leafnode-1 docs/new: http://mandree.home.pages.de/leafnode/
leafnode-2 homepage: http://mandree.home.pages.de/leafnode/beta/

-- 
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx -- mailing list for leafnode
To unsubscribe, send mail with "unsubscribe" in the subject to the list

References:
- Re: [leafnode-list] make check fails for 1.9.36.rel - FAIL: xsnprintf
  - From: Günther Dietrich

Prev by Date: Re: [leafnode-list] Do I need to modify /etc/hosts.allow?
Next by Date: [leafnode-list] Leafnode 1.9.37.rc1 available.
Previous by thread: Re: [leafnode-list] make check fails for 1.9.36.rel - FAIL: xsnprintf
Next by thread: [leafnode-list] still not succeeding ...
Index(es):
- Date
- Thread