From eugene@kabir.zssm.zp.ua  Mon Oct  7 11:12:56 2002
Return-Path: <eugene@kabir.zssm.zp.ua>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C12C37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  7 Oct 2002 11:12:56 -0700 (PDT)
Received: from kabir.zssm.zp.ua (kabir.zssm.zp.ua [212.8.32.6])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AF97243E4A
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  7 Oct 2002 11:12:51 -0700 (PDT)
	(envelope-from eugene@kabir.zssm.zp.ua)
Received: (from eugene@localhost)
	by kabir.zssm.zp.ua (8.9.3/8.9.3) id VAA62977;
	Mon, 7 Oct 2002 21:12:14 +0300 (EEST)
	(envelope-from eugene)
Message-Id: <200210071812.VAA62977@kabir.zssm.zp.ua>
Date: Mon, 7 Oct 2002 21:12:14 +0300 (EEST)
From: eugene@bran-fag.org
Reply-To: eugene@brain-fag.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: the file name is used as a format string by nvi
X-Send-Pr-Version: 3.2

>Number:         43777
>Category:       bin
>Synopsis:       the file name is used as a format string by nvi
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 07 11:20:02 PDT 2002
>Closed-Date:    Wed Oct 16 10:03:57 PDT 2002
>Last-Modified:  Wed Oct 16 10:03:57 PDT 2002
>Originator:     Eugene Polovnikov
>Release:        FreeBSD 4.7-RC i386
>Organization:
>Environment:

I guess this bug present in all versions of NVI at least since 1.79

>Description:

The name of the written file is used as a part of a format string for vsnprintf
in msgq() in the result of non-accurate(???) usage of snprintf in
lines 976 & 982 of common/extf.c

>How-To-Repeat:

just edit any file that contains printf-like format codes in the name and 
look to messages after file be written.


>Fix:

may be not a really fix, but only a work around:

--- exf.c.ORIG	Mon Oct  7 21:00:26 2002
+++ exf.c	Mon Oct  7 21:03:55 2002
@@ -1004,7 +1004,7 @@
 			*--s = '.';
 		}
 	}
-	msgq(sp, M_INFO, s);
+	msgq(sp, M_INFO, "%s", s);
 	if (nf)
 		FREE_SPACE(sp, p, 0);
 	return (0);

and another path, not directly related, but it can close similar problems:

--- msg.c.orig	Mon Oct  7 21:05:35 2002
+++ msg.c	Mon Oct  7 21:06:30 2002
@@ -368,7 +368,7 @@
 	char *p;
 
 	if (str == NULL) {
-		msgq(sp, mtype, fmt);
+		msgq(sp, mtype, "%s", fmt);
 		return;
 	}
 


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Wed Oct 16 10:01:36 PDT 2002 
State-Changed-Why:  
Fixed in 4.7-STABLE, in src/contrib/nvi/common/exf.c,v 1.3.2.2. 
The msg.c patch is not needed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43777 
>Unformatted:
