[pkg-ntp-maintainers] Bug#627403: ntp: format-security warnings; fails to build with hardening-wrapper 1.32
Colin Watson
cjwatson at ubuntu.com
Fri May 20 11:19:52 UTC 2011
Package: ntp
Version: 1:4.2.6.p2+dfsg-1
Severity: important
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu ubuntu-patch oneiric
Ubuntu's ntp package is built with hardening-wrapper (#542721). Version
1.32 of that package enables -Werror=format-security by default. This
exposes some mistakes which might be potential security problems in the
future (although I don't *think* they're problems right now), and which
I think we ought to fix:
* There are a few cases where ntp assumes that the translation of a
%-less string will also be a %-less string; ntp still uses catgets
(!) so I'm having trouble figuring out how its translations are
handled, but this is a fragile assumption that's often broken by
mistake let alone malice. (gettext at least does c-format checking
on strings that look like format strings, but not usually on %-less
strings.)
* There are some functions that use snprintf or similar to construct a
string, and then pass that to a printf-like function as a format
string; this will cause the printf-like function to dereference junk
pointers from the stack if one of the arguments passed to snprintf
itself contains %, which again is easy to break by mistake let alone
malice.
* There's a case in ntpd/ntp_config.c where GCC isn't smart enough to
prove that a const char * that's only ever assigned a %-less literal
string can be treated as equivalent to such; but given the other
problems I think it's reasonable to change the code to pacify GCC.
A quilt patch fixing these warnings is attached.
Thanks,
--
Colin Watson [cjwatson at ubuntu.com]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: format-security.patch
Type: text/x-diff
Size: 2608 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20110520/83178baa/attachment.patch>
More information about the pkg-ntp-maintainers
mailing list