[courier-users] [patch] disable warnings regarding format string security

Tue, 12 May 2015 02:51:36 -0700 

Hi,

Current gcc versions have a feature that warns when non-literal
strings are used as format strings (-Wformat-security). Fixing these
warnings can protect against possible format string vulnerabilities.

Such a warning is not by default a sign of a vulnerability, because in
many situations the strings are not attacker-controlled. However it is
still good coding practice to change them all not to throw a warning.

See here for more info:
https://fedoraproject.org/wiki/Format-Security-FAQ

Some distributions plan to enable -Wformat-security by default.

Attached patch will fix two instances of this warning in courier.
Please apply.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: [email protected]
GPG: BBB51E42

diff -Naur a/libs/sqwebmail/pcp.c b/libs/sqwebmail/pcp.c
--- a/libs/sqwebmail/pcp.c	2013-08-25 20:46:53.000000000 +0200
+++ b/libs/sqwebmail/pcp.c	2015-05-12 11:46:12.302206143 +0200
@@ -1518,7 +1518,7 @@
 			printf("</span></td><td width=\"30\">&nbsp;</td><td width=\"100%%\"><span class=\"tt\">");
 			if (p->address && strcmp(p->address, "@"))
 			{
-				printf(getarg("CONFLICTERR2"));
+				printf("%s", getarg("CONFLICTERR2"));
 				print_safe(p->address);
 			}
 			else
diff -Naur a/libs/sqwebmail/sqwebmail.c b/libs/sqwebmail/sqwebmail.c
--- a/libs/sqwebmail/sqwebmail.c	2013-11-25 03:02:39.000000000 +0100
+++ b/libs/sqwebmail/sqwebmail.c	2015-05-12 11:46:14.218206288 +0200
@@ -1097,7 +1097,7 @@
 				c=strchr(c, '.');
 				if (c)
 				{
-					printf(sep);
+					printf("%s", sep);
 					print_safe(c+1);
 				}
 			}

Attachment: pgp4WkgJeqnMN.pgp
Description: OpenPGP digital signature

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to