Hi Frank, Ken; I'd be happy to expand my notes for an email or file bug reports for specific items if you'd feel it would be more useful than generic platitudes like "check all snprintf() calls for error returns", "check sprintf() string inputs for proper lengths", "fix most of the cppcheck results", "switch most executions away from system() towards execve()", "switch malloc(a*b) to calloc(a,b)" etc.
I made note of the system() and popen() wrappers as I found them with the intention of re-grepping the sources for the new functions and looking for further instances of potentially unsafe inputs being handed to sh. I never returned to this, but did want to point out that these wrappers are encouraging string-based "command line" execution rather than using the safer execve()-based methods (even when the execve() method would have otherwise been more convenient). Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700827 Title: [MIR] pcp package To manage notifications about this bug go to: https://bugs.launchpad.net/pcp/+bug/1700827/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
