pam_env: force format string to be constant

As the string to output here is user-controlled this could lead to format string attacks. Possible impact is at least information leakage about the program stack. To avoid this, make the format string fixed and insert the actual string for output as an argument. Signed-off-by: Benny Baumann <BenBE@geshi.org>
author: Benny Baumann <BenBE@geshi.org> 2023-11-13 14:00:17 +0100
committer: Dmitry V. Levin <ldv@strace.io> 2023-11-13 13:24:08 +0000
commit: cd11d66f33ed140018af7b6419aa1571ceaa873b (patch)
tree: 34680e2fe22ac2e19bc430373c965f49eed5ca1b
parent: c6ca9d9decb0f6d20243c617c4c9860d1f455810 (diff)
download: pam-cd11d66f33ed140018af7b6419aa1571ceaa873b.tar.gz
pam-cd11d66f33ed140018af7b6419aa1571ceaa873b.tar.bz2
pam-cd11d66f33ed140018af7b6419aa1571ceaa873b.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index d675ae37..a5c47d92 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -464,7 +464,7 @@ _parse_line(const pam_handle_t *pamh, const char *buffer, VAR *var)
   ptr = buffer+length;
   while ((length = strspn(ptr, " \t")) > 0) {
     ptr += length;                              /* remove leading whitespace */
-    D((ptr));
+    D(("%s", ptr));
     if ((tmpptr = pam_str_skip_prefix(ptr, "DEFAULT=")) != NULL) {
       ptr = tmpptr;
       D(("Default arg found: <%s>", ptr));
author	Benny Baumann <BenBE@geshi.org>	2023-11-13 14:00:17 +0100
committer	Dmitry V. Levin <ldv@strace.io>	2023-11-13 13:24:08 +0000
commit	cd11d66f33ed140018af7b6419aa1571ceaa873b (patch)
tree	34680e2fe22ac2e19bc430373c965f49eed5ca1b
parent	c6ca9d9decb0f6d20243c617c4c9860d1f455810 (diff)
download	pam-cd11d66f33ed140018af7b6419aa1571ceaa873b.tar.gz pam-cd11d66f33ed140018af7b6419aa1571ceaa873b.tar.bz2 pam-cd11d66f33ed140018af7b6419aa1571ceaa873b.zip