CDE has relied upon catgets() implementations following a relaxed
interpretation of the XPG internationalization standard that ignored
-1, the standard error value returned by catopen, as the catalog
argument. However, this same behavior causes segmentation faults with
the musl C library.
This patch:
- Centralizes (with the exception of ToolTalk) all calls to catopen(),
catgets(), and catclose() through MsgCat within the DtSvc library.
- Prevents calls to catgets() and catclose() that rely upon
undefined behavior.
- Eliminates a number of bespoke catgets() wrappers, including multiple
redundant caching implementations designed to work around a design
peculiarity in HP/UX.
- Eases building CDE without XPG internationalization support by providing
the appropriate macros.
don't use the idiom
char foo[BUFSIZ];
snprintf(foo, BUFSIZ, ....);
but
char foo[BUFSIZ];
snprintf(foo, sizeo foo, ....);
because this will automatically catch situations where the size of foo
is later changed, e.g. like foo[BUFSIZ + 8];
Fix another use of sprintf.
Patch from Robert Tomsick <robert+cde@tomsick.net>:
I believe this fixes vulnerability #3 from CERT CA-1999-11.[1] The other
uses of sprintf in DtAction seem to be safe.
[1] https://www.cert.org/advisories/CA-1999-11.html
Patrick Georgi