Wireshark-bugs: [Wireshark-bugs] [Bug 2846] New: Insecure use of vsprintf() in tools/lemon/lemon
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2846
Summary: Insecure use of vsprintf() in tools/lemon/lemon.c
Product: Wireshark
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: Trivial
Priority: Low
Component: Extras
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: andy@xxxxxxxxxxxxxxxxxxx
Andre Guibert de Bruet <andy@xxxxxxxxxxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2208| |review_for_checkin?
Flag| |
Created an attachment (id=2208)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2208)
Fix for insecure vsprintf use
Build Information:
TShark 1.0.2
Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.16.4, with libpcap 0.9.8, with libz 1.2.3, without POSIX
capabilities, without libpcre, without SMI, without ADNS, without Lua, without
GnuTLS, without Gcrypt, with MIT Kerberos.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.
Running on Darwin 9.4.0 (MacOS 10.5.4), with libpcap version 0.9.8.
Built using gcc 4.0.1 (Apple Inc. build 5465).
--
vsprintf() is called against a static buffer of 10000 bytes in length and
user-modifiable input parameters. The attached patch uses the more secure
vsnprintf() to accomplish the building of the error message.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
