On Wed, Jan 26, 2005 at 11:58:03PM +0100, Ulf H?rnhammar wrote:
> http://bugs.debian.org/290822 (billard-gl)
> http://bugs.debian.org/291613 (xshisen again.. aaarghh!)
> http://bugs.debian.org/291620 (ltris)
> http://bugs.debian.org/291635 (man2html)
> http://bugs.debian.org/292263 (scummvm)
> http://bugs.debian.org/292264 (penguin-command)
Lots of fun ones :)
> I can officially say that fscanf(fp, "%s", buf); has
> replaced sprintf(buf, "%s/blah", getenv("HOME")); as
> my biggest hate object.
Hehe .. understandable. I thought that fscanf had been
widely recognised as being dangerous. If not it should be.
> Joey Hess has found even more security problems with xshisen
> (#292065), so people are debating removing the gid-ness from
> that nice game.
Good idea. I think that's four people now with differnt
bugs .. either we're all slipping, or we're doing a good job
I'll choose to believe the latter for now.
> KF found my format string bug in gpsd (#292370)! I can't prove
> it, but I really found that bug too some time ago. I meant to
> audit the rest of gpsd (bad idea?), but I didn't for some
> reason, and now he's found it too and made it public. Oh well.
I think that happens a lot. I've sat on a pile for a while
and had a lot reported before I got round to patching them
or writing things up. I guess it doesnt matter too much so
long as they are fixed.
Steve
--
|
