Follow-up Comment #2, bug #472 (project tex4ht):

The Gentoo package compiles and installs htcmd for some reason (presumably
https://bugs.gentoo.org/85301#c2 which is a little weak indeed), so the
format-security issue has popped up in an automatic scan.

Looking at the source code, the command seems to do conversion from slashes to
backslashes in path names, which doesn't look useful outside of the
MS-DOS/Windows world.

BTW, there may be more security issues: warn_err_mssg[] has only one element
and err_i() accesses it out of bounds. The command line buffer is allocated
with a fixed size and populated without any size checks.

So, I'm going to drop htcmd from the Gentoo package. Sorry for the noise.


    _______________________________________________________

Reply to this item at:

  <http://puszcza.gnu.org.ua/bugs/?472>

_______________________________________________
  Message sent via/by Puszcza
  http://puszcza.gnu.org.ua/

Reply via email to