On 05/06/2013 05:41 AM, Kapil Anand wrote: > Hi, > > I work in information flow analysis of programs and my analysis gave a > possible warning with respect to format string vulnerability in csplit > (Version 8.17). > > In csplit, there is a global variable called "suffix" which is initialized > through a command line argument in function main > > /suffix = optarg/ > > Next, this variable is used as a format argument in a sprintf call in > function make_filename. > > /sprintf (filename_space + strlen (prefix), suffix, num)/ > > Our analysis flagged this behavior. > > However, we are not sure whether Coreutil developers are aware of this > behaviour. This might very well be a false positive. We just wanted to > confirm our analysis. > > Any response in this regard will be appreciated.
Thanks for your analysis. You're correct that the printf format is set externally, however there is validation before use in max_out() and check_format_conv_type(). So it seems that the current code is safe. thanks, Pádraig.
