Hi,
Current gcc versions have a feature that warns when non-literal
strings are used as format strings (-Wformat-security). Fixing these
warnings can protect against possible format string vulnerabilities.
Such a warning is not by default a sign of a vulnerability, because in
many situations the strings are not attacker-controlled. However it is
still good coding practice to change them all not to throw a warning.
See here for more info:
https://fedoraproject.org/wiki/Format-Security-FAQ
Some distributions plan to enable -Wformat-security by default.
Attached patch will fix two instances of this warning in courier.
Please apply.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
diff -Naur a/libs/sqwebmail/pcp.c b/libs/sqwebmail/pcp.c
--- a/libs/sqwebmail/pcp.c 2013-08-25 20:46:53.0 +0200
+++ b/libs/sqwebmail/pcp.c 2015-05-12 11:46:12.302206143 +0200
@@ -1518,7 +1518,7 @@
printf(/span/tdtd width=\30\nbsp;/tdtd width=\100%%\span class=\tt\);
if (p-address strcmp(p-address, @))
{
-printf(getarg(CONFLICTERR2));
+printf(%s, getarg(CONFLICTERR2));
print_safe(p-address);
}
else
diff -Naur a/libs/sqwebmail/sqwebmail.c b/libs/sqwebmail/sqwebmail.c
--- a/libs/sqwebmail/sqwebmail.c 2013-11-25 03:02:39.0 +0100
+++ b/libs/sqwebmail/sqwebmail.c 2015-05-12 11:46:14.218206288 +0200
@@ -1097,7 +1097,7 @@
c=strchr(c, '.');
if (c)
{
- printf(sep);
+ printf(%s, sep);
print_safe(c+1);
}
}
pgp4WkgJeqnMN.pgp
Description: OpenPGP digital signature
--
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
