The primary focus of the 0.5.5 release is applying some security fixes.
There are a small number of bugfixes as well.
The primary security fix is that of printing control characters.
All previous releases are affected by this.
Any input data, such as file names, may contain control characters.
The print methods have previously not sanitized this on output and print those control characters.
This creates undefined behavior, of which I consider a security issue.
The solution is to write my own `printf()/fprintf()` alternatives.
See the `fl_print_format()` for the unlocked implementation and documentation.
See the `fll_print_format()` for the locked implementation of fl_print_format().
There are several new print functions and many of the color print functions have been removed or moved into the print projects.
In general, all `f_print_*()` or `fl_print_*()` functions asre unlocked and the `fll_print_*()` functions are locked.
The new formatted print functions are not entirely complete in that they do not have the printing support for float and double (I need to study some) and the number conversion is not as efficient as I would like it to be (again, I need to study some).
The summary of fixes and improvements.
- Installer script is attempting to install non-existent files.
- (Security) NULL dereferences discovered by GCC's -fanalyzer.
- Console parameter processing should handle unknown parameters with -/+ as regular parameters.
- (Security) Invalid allocation sizes due to incorrect types.
- iki_read never implemented --at.
- FSS Basic and Extended List Read -a -n -l parameter fails to work as expected.
- (Security) Static/Dynamic string compare functions aren't properly handling empty strings or empty ranges.
- Allow empty Objects in FSS Basic and Extended Lists.
- Add support for -R/--raw parameters in FSS read programs.
- Embedded List slash processing problems.
- Miscellaneous mistakes and cleanups.
- (Secuity) Redesign printing and and conversions, providing custom functions like `fll_print_format()`.
Remaining planned changes for preparing 0.5.x branch for 0.6.x:
- Finish writing UTF-8 support for existing functionality.
- Finish the "controller" program, which is another part of the non-systemd init design.
- Tweak "Controller" to have an "init" like behavior, but only for a custom program called "init", otherwise operate as a more generic controller.
- Write the "control" program, which is intended to interact with the "controller" program.
- Review FSS and IKI standards for consistency in both specification and implementation.
- Bring "firewall" up to date.
- Cleanup existing code, getting the style back in sync for a stable release.
- Review and fix some inconsistencies in the design that would influence the API.
- Update Featureless Make to fully handle creating parent paths.
- Update Featureless Make to support overriding settings using program parameters.
- Update documentation.
projects / fll / tag