[tex4ht] [bug #472] src/htcmd.c fails to compile with format-security
Ulrich Müller
puszcza-hackers at gnu.org.ua
Tue Jun 30 09:40:02 CEST 2020
Follow-up Comment #2, bug #472 (project tex4ht):
The Gentoo package compiles and installs htcmd for some reason (presumably
https://bugs.gentoo.org/85301#c2 which is a little weak indeed), so the
format-security issue has popped up in an automatic scan.
Looking at the source code, the command seems to do conversion from slashes to
backslashes in path names, which doesn't look useful outside of the
MS-DOS/Windows world.
BTW, there may be more security issues: warn_err_mssg[] has only one element
and err_i() accesses it out of bounds. The command line buffer is allocated
with a fixed size and populated without any size checks.
So, I'm going to drop htcmd from the Gentoo package. Sorry for the noise.
_______________________________________________________
Reply to this item at:
<http://puszcza.gnu.org.ua/bugs/?472>
_______________________________________________
Message sent via/by Puszcza
http://puszcza.gnu.org.ua/
More information about the tex4ht
mailing list.