[pkg-ntp-maintainers] Bug#627403: ntp: format-security warnings; fails to build with hardening-wrapper 1.32

Colin Watson cjwatson at ubuntu.com
Fri May 20 11:19:52 UTC 2011 

Package: ntp
Version: 1:4.2.6.p2+dfsg-1
Severity: important
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu ubuntu-patch oneiric

Ubuntu's ntp package is built with hardening-wrapper (#542721).  Version
1.32 of that package enables -Werror=format-security by default.  This
exposes some mistakes which might be potential security problems in the
future (although I don't *think* they're problems right now), and which
I think we ought to fix:

 * There are a few cases where ntp assumes that the translation of a
   %-less string will also be a %-less string; ntp still uses catgets
   (!) so I'm having trouble figuring out how its translations are
   handled, but this is a fragile assumption that's often broken by
   mistake let alone malice.  (gettext at least does c-format checking
   on strings that look like format strings, but not usually on %-less
   strings.)

 * There are some functions that use snprintf or similar to construct a
   string, and then pass that to a printf-like function as a format
   string; this will cause the printf-like function to dereference junk
   pointers from the stack if one of the arguments passed to snprintf
   itself contains %, which again is easy to break by mistake let alone
   malice.

 * There's a case in ntpd/ntp_config.c where GCC isn't smart enough to
   prove that a const char * that's only ever assigned a %-less literal
   string can be treated as equivalent to such; but given the other
   problems I think it's reasonable to change the code to pacify GCC.

A quilt patch fixing these warnings is attached.

Thanks,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: format-security.patch
Type: text/x-diff
Size: 2608 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20110520/83178baa/attachment.patch>

More information about the pkg-ntp-maintainers mailing list