Hi Otto, We agree this should be taken seriously, and I've looked over the PRs again this afternoon so that we can get them moving forward again. Of the 6: * 2 are drafts. Do you want them reviewed at this stage? * 2 I have approved, one of them I think is ready for merging, the other will need a second set of eyes. * 2 need a bit more work, one of which potentially adds new security vulnerabilities, but I'm happy to discuss them further. Point 7 of your email is a good one. You are welcome to open a PR against that, as the PR would make a good discussion point to make sure it is all there. Or someone else could add it via a PR. Kind Regards Andrew On 01/04/2024 00:52, Otto Kekäläinen via developers wrote:
Hi all,
Reading about the xz-utils backdoor authors submission of converting safe_fprintf() to fprintf() in libarchive[1] presumably in order to introduce intentional vulnerability reminded me that the MariaDB code base still has a plenty unsafe sprint/printf/fprintf use that can easily be found with scanners such as Flawfinder[2] and cppcheck[3].
There are currently 6 merge requests open by two authors (CC'd) to fix some of these issues[4]. Could we please have some more attention on these by the core contributors?
If core contributors are not happy with the submissions, could you perhaps write your own safe functions (there are already some in m_string.h[5]) like many other projects seem to have (also libarchive had[6]) and then ask all contributors to use them consistently?
Use of specific memory safe functions could also be mandated via the coding standards[7].
[1] https://github.com/libarchive/libarchive/pull/1609 [2] https://github.com/MariaDB/server/blob/11.5/.gitlab-ci.yml#L461-L489 [3] https://github.com/MariaDB/server/blob/11.5/.gitlab-ci.yml#L522-L554 [4] https://github.com/MariaDB/server/pulls?q=is%3Apr+is%3Aopen+sprintf+ [5] https://github.com/MariaDB/server/blob/11.5/include/m_string.h [6] https://github.com/libarchive/libarchive/blob/6110e9c82d8ba830c3440f36b99048... [7] https://github.com/MariaDB/server/blob/11.5/CODING_STANDARDS.md _______________________________________________ developers mailing list -- developers@lists.mariadb.org To unsubscribe send an email to developers-leave@lists.mariadb.org
-- Andrew (LinuxJedi) Hutchings Chief Contributions Officer MariaDB Foundation