contrib/gcclibs/libssp security warning

Sean Bruno sean_bruno at yahoo.com
Mon Oct 21 03:50:47 UTC 2013


There's an unchecked syslog call inside of libssp/ssp.c 


/usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
warning: format string is not a string literal (potentially insecure)
      [-Wformat-security]
    syslog (LOG_CRIT, msg1);
                      ^~~~
1 warning generated.
/usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
warning: format string is not a string literal (potentially insecure)
      [-Wformat-security]
    syslog (LOG_CRIT, msg1);

I propose the following change:

Index: contrib/gcclibs/libssp/ssp.c
===================================================================
--- contrib/gcclibs/libssp/ssp.c        (revision 256712)
+++ contrib/gcclibs/libssp/ssp.c        (working copy)
 #ifdef HAVE_SYSLOG_H
   /* Only send the error to syslog if there was no tty available.  */
   else
-    syslog (LOG_CRIT, msg3);
+    syslog (LOG_CRIT, "%s", msg3);
 #endif /* HAVE_SYSLOG_H */

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20131020/14679d85/attachment.sig>


More information about the freebsd-current mailing list