Thanks Sebastian. Shameful that to fix one I introduced another...
Regards Pedro On Aug 4, 2013 11:08 AM, "Sebastian Ramacher" <sramac...@debian.org> wrote: > Hi Pedro, > > thank you for reporting this security issue. > > On 2013-08-04 10:35:46, Pedro R wrote: > > diff -urb lcms-1.19.dfsg/samples/icctrans.c > lcms-1.19.dfsg-patched/samples/icctrans.c > > --- lcms-1.19.dfsg/samples/icctrans.c 2009-10-30 15:57:45.000000000 +0000 > > +++ lcms-1.19.dfsg-patched/samples/icctrans.c 2013-08-04 > 10:31:36.608445149 +0100 > > @@ -500,7 +500,7 @@ > > > > Prefix[0] = 0; > > if (!lTerse) > > - sprintf(Prefix, "%s=", C); > > + snprintf(Prefix, 20, "%s=", C); > > > > if (InHexa) > > { > > @@ -648,7 +648,9 @@ > > static > > void GetLine(char* Buffer) > > { > > - scanf("%s", Buffer); > > + size_t Buffer_size = sizeof(Buffer); > > + fgets(Buffer, (Buffer_size - 1), stdin); > > + sscanf("%s", Buffer); > > This sscanf call is wrong and introduces a format string vulnerability. > sscanf's signature is int sscanf(const char* str, const char* fmt, ...) > where str is used as input and format is the second argument. > > Regards > -- > Sebastian Ramacher >