Dependency Graph

Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
0001670SOGoSOPEpublic2012-03-23 19:23
Reporteravoegele Assigned Toludovic  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Versionnightly v2 
Target Version1.3.15Fixed in Version1.3.15 
Summary0001670: Building NGLogSyslogAppender.m with -Werror=format-security fails
Description

When building NGLogSyslogAppender.m with the compiler option -Werror=format-security the build fails as the compiler cannot determine whether a format string is passed to syslog() or not:

syslog(level, [formattedMsg cString]);

The following idiom is secure and makes GCC happy:

syslog(level, "%s", [formattedMsg cString]);

From the syslog(3) manual page:

Never pass a string with user-supplied data as a format, use the
following instead:

   syslog(priority, "%s", string);
Additional Information

See http://wiki.debian.org/Hardening for more information.

TagsNo tags attached.

Activities

2012-03-10 08:59

 

NGLogSyslogAppender_m.diff (485 bytes)   
--- sope-core/NGExtensions/NGLogging.subproj/NGLogSyslogAppender.m.orig	2012-01-20 01:56:03.000000000 +0100
+++ sope-core/NGExtensions/NGLogging.subproj/NGLogSyslogAppender.m	2012-03-10 09:28:22.000000000 +0100
@@ -86,7 +86,7 @@
   
   formattedMsg = [self formattedEvent:_event];
   level = [self syslogLevelForLogLevel:[_event level]];
-  syslog(level, [formattedMsg cString]);
+  syslog(level, "%s", [formattedMsg cString]);
 }
 
 - (int)syslogLevelForLogLevel:(NGLogLevel)_level {
NGLogSyslogAppender_m.diff (485 bytes)   
ludovic

ludovic

2012-03-23 19:23

administrator   ~0003635

Fixed: http://mtn.inverse.ca/revision/diff/df0ef67a4bf2065b385d60810d28973f0fb0c981/with/c60cd0952994b1cdcab7aebd637a1fa8e01da711

Issue History

Date Modified Username Field Change
2012-03-10 08:59 avoegele New Issue
2012-03-10 08:59 avoegele File Added: NGLogSyslogAppender_m.diff
2012-03-16 18:32 ludovic Target Version => 1.3.14
2012-03-23 12:33 francis Target Version 1.3.14 => 1.3.15
2012-03-23 19:23 ludovic Note Added: 0003635
2012-03-23 19:23 ludovic Status new => resolved
2012-03-23 19:23 ludovic Fixed in Version => 1.3.15
2012-03-23 19:23 ludovic Resolution open => fixed
2012-03-23 19:23 ludovic Assigned To => ludovic