On Wed, Dec 03, 2003 at 04:30:38PM +0300, S-Quadra Security Research wrote:
> if(gotit)
> {
> // S-Quadra: here is where format string bug lives
> fprintf(output,line);
> if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0)
> break;
> }
This one is indeed a problem.
> if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0)
> {
> // S-Quadra: here is where format string bug lives
> fprintf(output,line);
> gotit=1;
> }
But this one is not. You can't get to the dangerous fprintf without
"line" being verified as safe.
David
