[PR #6184] [MERGED] security: fix sscanf rv checks (CodeQL) #5864

New issue

Closed

opened 2026-05-05 10:46:21 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:46:21 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/6184
Author: @kmk3
Created: 2/1/2024
Status: ✅ Merged
Merged: 2/4/2024
Merged by: @kmk3

Base: master ← Head: fix-sscanf-rv

📝 Commits (1)

ef2f5f3 security: fix sscanf rv checks (CodeQL)

📊 Changes

1 file changed (+4 additions, -4 deletions)

View changed files

📝 src/firejail/restrict_users.c (+4 -4)

📄 Description

Fix the following CodeQL warning (CWE-253)[1]:

Rule ID: cpp/incorrectly-checked-scanf

The result of scanf is only checked against 0, but it can also return
EOF.

Functions in the scanf family return either EOF (a negative value) in
case of IO failure, or the number of items successfully read from the
input. Consequently, a simple check that the return value is nonzero
is not enough.

Recommendation

Ensure that all uses of scanf check the return value against the
expected number of arguments rather than just against zero.

Note: The affected code portions attempt to read values from /etc/passwd
and /etc/group, so invalid input seems unlikely to be the case. Either
way, the changes make the checks in question more consistent with
similar sscanf return value checks in the rest of the code.

Added on commit 4f003daec ("prevent leaking user information by
modifying /home directory, /etc/passwd and /etc/group", 2015-11-19).

[1] https://github.com/netblue30/firejail/security/code-scanning/32

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/6184 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 2/1/2024 **Status:** ✅ Merged **Merged:** 2/4/2024 **Merged by:** [@kmk3](https://github.com/kmk3) **Base:** `master` ← **Head:** `fix-sscanf-rv` --- ### 📝 Commits (1) - [`ef2f5f3`](https://github.com/netblue30/firejail/commit/ef2f5f384697f8227a7c0d3ef11c2f158c6acad0) security: fix sscanf rv checks (CodeQL) ### 📊 Changes **1 file changed** (+4 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/restrict_users.c` (+4 -4) </details> ### 📄 Description Fix the following CodeQL warning (CWE-253)[1]: > Rule ID: cpp/incorrectly-checked-scanf > The result of scanf is only checked against 0, but it can also return > EOF. > Functions in the scanf family return either EOF (a negative value) in > case of IO failure, or the number of items successfully read from the > input. Consequently, a simple check that the return value is nonzero > is not enough. > > Recommendation > > Ensure that all uses of scanf check the return value against the > expected number of arguments rather than just against zero. Note: The affected code portions attempt to read values from /etc/passwd and /etc/group, so invalid input seems unlikely to be the case. Either way, the changes make the checks in question more consistent with similar sscanf return value checks in the rest of the code. Added on commit 4f003daec ("prevent leaking user information by modifying /home directory, /etc/passwd and /etc/group", 2015-11-19). [1] https://github.com/netblue30/firejail/security/code-scanning/32 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:46:21 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5864

No description provided.

Rows
Columns