From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: proc/alloc.c: Use vfprintf(), not fprintf().
X-Git-Tag: v3.3.15~108
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=98b79d1ef1695ad0332203c9e15e0c2de2d7d0e9;p=procps-ng

proc/alloc.c: Use vfprintf(), not fprintf().

This can disclose information from the stack, but is unlikely to have a
security impact in the context of the procps utilities:

user@debian:~$ w 2>&1 | xxd
00000000: a03c 79b7 1420 6661 696c 6564 2074 6f20  .<y.. failed to
00000010: 616c 6c6f 6361 7465 2033 3232 3137 3439  allocate 3221749
00000020: 3738 3020 6279 7465 7320 6f66 206d 656d  780 bytes of mem
00000030: 6f72 79                                  ory
---

diff --git a/proc/alloc.c b/proc/alloc.c
index 94af47f7..3cdb60fc 100644
--- a/proc/alloc.c
+++ b/proc/alloc.c
@@ -30,7 +30,7 @@ static void xdefault_error(const char *restrict fmts, ...) {
     va_list va;
 
     va_start(va, fmts);
-    fprintf(stderr, fmts, va);
+    vfprintf(stderr, fmts, va);
     va_end(va);
 }