xsnprintf makes fortify protection ineffect. It should be an inline function or a #define. The function does not guard against negative or oversized return values, and callers assume that it always returns values in the range [0, size - 1] (see arguments.c:args_print() for an example).
Can you show me a patch for what you're looking for?
(In reply to David Cantrell from comment #2) > Can you show me a patch for what you're looking for? An extensive explanation is available in this blog post: https://securityblog.redhat.com/2014/03/12/the-trouble-with-snprintf/
Denied by PM for 7.1, moving to 7.2 planning list. :/
Denied by PM for 7.2, moving to the 7.3 planning list.
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.