[tex4ht] [bug #472] src/htcmd.c fails to compile with format-security

2020-06-30 Thread Ulrich Müller
Follow-up Comment #2, bug #472 (project tex4ht):

The Gentoo package compiles and installs htcmd for some reason (presumably
https://bugs.gentoo.org/85301#c2 which is a little weak indeed), so the
format-security issue has popped up in an automatic scan.

Looking at the source code, the command seems to do conversion from slashes to
backslashes in path names, which doesn't look useful outside of the
MS-DOS/Windows world.

BTW, there may be more security issues: warn_err_mssg[] has only one element
and err_i() accesses it out of bounds. The command line buffer is allocated
with a fixed size and populated without any size checks.

So, I'm going to drop htcmd from the Gentoo package. Sorry for the noise.


___

Reply to this item at:

  

___
  Message sent via/by Puszcza
  http://puszcza.gnu.org.ua/


[tex4ht] [bug #472] src/htcmd.c fails to compile with format-security

2020-06-29 Thread Karl Berry
Update of bug #472 (project tex4ht):

 Open/Closed:Open => Closed 

___

Follow-up Comment #1:

Thanks. I made the changes in tex4ht-htcmd.tex, which generates htcmd.c. Will
attach the new .c for possible convenience.

BTW, htcmd has never been compiled or distributed by TeX Live.
Maybe it is not actually needed?

Thanks again,
Karl


(file #352)
___

Additional Item Attachment:

File name: htcmd.cSize:8 KB


___

Reply to this item at:

  

___
  Message sent via/by Puszcza
  http://puszcza.gnu.org.ua/



[tex4ht] [bug #472] src/htcmd.c fails to compile with format-security

2020-06-29 Thread Ulrich Müller
URL:
  

 Summary: src/htcmd.c fails to compile with format-security
 Project: tex4ht
Submitted by: ulm
Submitted on: Mon 29 Jun 2020 09:48:45 AM EEST
Category: None
Priority: 5 - Normal
Severity: 5 - Normal
  Status: None
 Privacy: Public
 Assigned to: None
Originator Email: 
 Open/Closed: Open
 Discussion Lock: Any

___

Details:

Forwarding downstream bug: https://bugs.gentoo.org/554636

src/htcmd.c fails to compile with format-security (which many distros use to
build their packages). To reproduce, use -Werror=format-security in gcc
flags.

More info at https://fedoraproject.org/wiki/Format-Security-FAQ

See attached patch for a fix.




___

File Attachments:


---
Date: Mon 29 Jun 2020 09:48:45 AM EEST  Name: tex4ht-format-security.patch 
Size: 510B   By: ulm



___

Reply to this item at:

  

___
  Message sent via/by Puszcza
  http://puszcza.gnu.org.ua/