Thanks Sebastian.
Shameful that to fix one I introduced another...
Regards
Pedro
On Aug 4, 2013 11:08 AM, "Sebastian Ramacher" <sramac...@debian.org> wrote:
> Hi Pedro,
>
> thank you for reporting this security issue.
>
> On 2013-08-04 10:35:46, Pedro R wrote:
> > diff -urb lcms-1.19.dfsg/samples/icctrans.c
> lcms-1.19.dfsg-patched/samples/icctrans.c
> > --- lcms-1.19.dfsg/samples/icctrans.c 2009-10-30 15:57:45.000000000 +0000
> > +++ lcms-1.19.dfsg-patched/samples/icctrans.c 2013-08-04
> 10:31:36.608445149 +0100
> > @@ -500,7 +500,7 @@
> >
> > Prefix[0] = 0;
> > if (!lTerse)
> > - sprintf(Prefix, "%s=", C);
> > + snprintf(Prefix, 20, "%s=", C);
> >
> > if (InHexa)
> > {
> > @@ -648,7 +648,9 @@
> > static
> > void GetLine(char* Buffer)
> > {
> > - scanf("%s", Buffer);
> > + size_t Buffer_size = sizeof(Buffer);
> > + fgets(Buffer, (Buffer_size - 1), stdin);
> > + sscanf("%s", Buffer);
>
> This sscanf call is wrong and introduces a format string vulnerability.
> sscanf's signature is int sscanf(const char* str, const char* fmt, ...)
> where str is used as input and format is the second argument.
>
> Regards
> --
> Sebastian Ramacher
>
