bugtex4ht - Bugs: bug #472, src/htcmd.c fails to compile with...

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #472: src/htcmd.c fails to compile with format-security

Submitted by:  Ulrich Müller <ulm>
Submitted on:  Mon Jun 29 06:48:45 2020  
 
Category: NonePriority: 5 - Normal
Severity: 5 - NormalStatus: None
Privacy: PublicAssigned to: None
Open/Closed: Closed

Tue Jun 30 07:35:03 2020, comment #2:

The Gentoo package compiles and installs htcmd for some reason (presumably https://bugs.gentoo.org/85301#c2 which is a little weak indeed), so the format-security issue has popped up in an automatic scan.

Looking at the source code, the command seems to do conversion from slashes to backslashes in path names, which doesn't look useful outside of the MS-DOS/Windows world.

BTW, there may be more security issues: warn_err_mssg[] has only one element and err_i() accesses it out of bounds. The command line buffer is allocated with a fixed size and populated without any size checks.

So, I'm going to drop htcmd from the Gentoo package. Sorry for the noise.

Ulrich Müller <ulm>
Mon Jun 29 22:20:18 2020, comment #1:

Thanks. I made the changes in tex4ht-htcmd.tex, which generates htcmd.c. Will attach the new .c for possible convenience.

BTW, htcmd has never been compiled or distributed by TeX Live.
Maybe it is not actually needed?

Thanks again,
Karl

(file #352)

Karl Berry <karl>
Project Administrator
Mon Jun 29 06:48:45 2020, original submission:

Forwarding downstream bug: https://bugs.gentoo.org/554636

src/htcmd.c fails to compile with format-security (which many distros use to build their packages). To reproduce, use -Werror=format-security in gcc flags.

More info at https://fedoraproject.org/wiki/Format-Security-FAQ

See attached patch for a fix.

Ulrich Müller <ulm>

 

Attached Files
file #352:  htcmd.c added by karl (9kB - text/x-csrc)
file #351:  tex4ht-format-security.patch added by ulm (510B - text/x-patch)

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by karl (Updated the item)
  • -unavailable- added by ulm (Submitted the item)

    •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Please enter the title of George Orwell's famous dystopian book (it's a date):

     

     

    3 latest changes follow.

    Date Changed By Updated Field Previous Value => Replaced By
    Mon Jun 29 22:20:18 2020karlAttached File-=>Added htcmd.c, #352
      Open/ClosedOpen=>Closed
    Mon Jun 29 06:48:45 2020ulmAttached File-=>Added tex4ht-format-security.patch, #351
    Show feedback again

    Back to the top


    Copyright © 2005 – 2021 Sergey Poznyakoff
    Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.

    Powered by Savane 3.1-cleanup+gray