On Wed, Dec 4, 2013 at 3:54 PM, Brendan Jones <brendan.jones.it@xxxxxxxxx> wrote: > On 12/05/2013 12:28 AM, Miloslav Trmač wrote: >> >> On Thu, Dec 5, 2013 at 12:11 AM, Brendan Jones >> <brendan.jones.it@xxxxxxxxx> wrote: >>> >>> On 12/05/2013 12:11 AM, Ian Pilcher wrote: >>>> >>>> >>>> On 12/04/2013 04:56 PM, Brendan Jones wrote: >>>>> >>>>> >>>>> Patching is not a problem. Unnecessary is the question. Explain to me >>>>> (not you in particular Rahul) how these printf's can possibly be >>>>> exploited? >>>> >>>> >>>> >>>> char *output; >>>> >>>> output = get_user_input(...); >>>> printf(output); >>>> >>>> What happens when the user enters %n? >>>> >>> I remain unconvinced. Exploit my system with one of ams, aubio, hydrogen, >>> jack-keyboard, phasex, portmidi or yoshimi. >>> >>> I just can't see it >> >> >> Suppose I create a malicious drumkit and either get it uploaded to one >> of the officially recommended links at >> http://www.hydrogen-music.org/hcms/node/16 , or even just attach it in >> bugzilla to a bug report saying that the Fedora hydrogen package >> crashes or otherwise mishandles that file (causing _you_ personally to >> open that file, even if in a debugger)? >> >> Note that I _don't really know_ whether this is exploitable with >> hydrogen; though the incorrect format strings being in a class named >> Object does suggest that the affected input paths may be pretty >> widespread. >> > Probably a bad example. I guess its another case of educating upstream. They > love that It's really a trivial fix. In some of my packages it was already patched upstream. Regardless of whether or not you are convinced or anyone else for that matter, possible security flaws should always be patched whether or not they are probably or improbable. Dan -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct