[Bug 528000] Tainted variables in sprintf format
bugzilla at redhat.com
bugzilla at redhat.com
Thu Oct 8 17:38:43 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=528000
--- Comment #3 from Patrick Monnerat <pm at datasphere.ch> 2009-10-08 13:38:42 EDT ---
Here are some details. The lines causing the trouble are:
$format and $exifTool->Warn(
sprintf("Unknown format ($format) for $dirName tag 0x%x",$tagID));
So $format and/or $dirName are tainted. I'm not a Perl guy, so I can hardly
backtrack these variable's sources (it even comes from out of the module), but
I think the faulty statement can be rewritten as:
$format and $exifTool->Warn(
sprintf("Unknown format (%d) for %s tag 0x%x",$format,$dirName,$tagID));
in a more secure way that does not cause the taint problem, but at the expense
of poorer readability, I agree.
>From what I can see by examining Exif.pm, some other sprintf statements might
be subject to similar problems (i.e.: lines 2918, 2941, 2972, ...).
I apologize for not being able to reproduce, but the line is reached when there
is an unknown format in an Exif directory of a picture that I do not have
anymore (rejected by SpamAssassin!)
Whether the current bug is related to bug 510127 or not is out of my Perl
understanding... and since I do not know how to reproduce, I cannot even test
it on rawhide :-( Sorry and thanks for the proposal.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-perl-devel-list
mailing list