* sysdep.c: lprintf(): Bug 124: Fix remote format string vulnerability

  (thanks to coki@nosystem.com.ar)

diff --git a/citadel/ChangeLog b/citadel/ChangeLog
index e0b802133653ee3349007f6491c79b71c9c76d59..eecb5d9eccb652fa2fe726b1eac3dccbdfb55695 100644 (file)
--- a/citadel/ChangeLog
+++ b/citadel/ChangeLog
@@ -1,4 +1,8 @@
  $Log$
+ Revision 627.12  2004/12/12 17:33:24  error
+ * sysdep.c: lprintf(): Bug 124: Fix remote format string vulnerability
+   (thanks to coki@nosystem.com.ar)
+
  Revision 627.11  2004/12/01 16:28:58  ajc
  * tools.c: don't crash when striplt() is called with z zero length string
 
@@ -6231,3 +6235,4 @@ Sat Jul 11 00:20:48 EDT 1998 Nathan Bryant <bryant@cs.usm.maine.edu>
 
 Fri Jul 10 1998 Art Cancro <ajc@uncensored.citadel.org>
        * Initial CVS import
+

diff --git a/citadel/sysdep.c b/citadel/sysdep.c
index d52b920bea8659ee4897e66950fedb766fe050d4..fd9b3ad964d527664a8c299af186cedcfeebeff8 100644 (file)
--- a/citadel/sysdep.c
+++ b/citadel/sysdep.c
@@ -121,7 +121,7 @@ void lprintf(enum LogLevel loglevel, const char *format, ...) {
                                snprintf(buf, 6, "[%3d]", CC->cs_pid);
                                buf[5] = ' ';
                        }
-                       syslog(loglevel, buf);
+                       syslog(loglevel, "%s", buf);
                }
        }
        else if (loglevel <= verbosity) {