--- /dev/null
+diff -ur sysvinit-2.78.orig/src/bootlogd.c sysvinit-2.78/src/bootlogd.c
+--- sysvinit-2.78.orig/src/bootlogd.c Mon Oct 4 13:19:19 1999
++++ sysvinit-2.78/src/bootlogd.c Tue Aug 8 06:36:47 2000
+@@ -86,7 +86,7 @@
+ * Scan /dev and find the device name.
+ * Side-effect: directory is changed to /dev
+ */
+-int findtty(char *res, dev_t dev)
++int findtty(char **res, dev_t dev)
+ {
+ DIR *dir;
+ struct dirent *ent;
+@@ -109,8 +109,10 @@
+ if (ent == NULL) {
+ fprintf(stderr, "bootlogd: cannot find console device\n");
+ r = -1;
+- } else
+- strcpy(res, ent->d_name);
++ } else {
++ *res = strdup(ent->d_name);
++ if (!*res) r = -1;
++ }
+ closedir(dir);
+
+ return r;
+@@ -121,7 +123,7 @@
+ * Find out the _real_ console. Assume that stdin is connected to
+ * the console device (/dev/console).
+ */
+-int consolename(char *res)
++int consolename(char **res)
+ {
+ struct stat st;
+ #if TIOCTTYGSTRUCT_HACK
+@@ -235,9 +237,10 @@
+ FILE *fp;
+ struct timeval tv;
+ fd_set fds;
+- char buf[1024];
++ char *console;
+ char *p;
+ char *logfile;
++ char *backfile;
+ char *pidfile;
+ int rotate;
+ int dontfork;
+@@ -285,10 +288,10 @@
+ /*
+ * Open console device directly.
+ */
+- if (consolename(buf) < 0)
++ if (consolename(&console) < 0)
+ return 1;
+- if ((realfd = open(buf, O_WRONLY|O_NONBLOCK)) < 0) {
+- fprintf(stderr, "bootlogd: %s: %s\n", buf, strerror(errno));
++ if ((realfd = open(console, O_WRONLY|O_NONBLOCK)) < 0) {
++ fprintf(stderr, "bootlogd: %s: %s\n", console, strerror(errno));
+ return 1;
+ }
+ n = fcntl(realfd, F_GETFL);
+@@ -298,7 +301,7 @@
+ /*
+ * Grab a pty, and redirect console messages to it.
+ */
+- if (openpty(&ptm, &pts, buf, NULL, NULL) < 0) {
++ if (openpty(&ptm, &pts, console, NULL, NULL) < 0) {
+ fprintf(stderr, "bootlogd: cannot allocate pseudo tty\n");
+ return 1;
+ }
+@@ -312,7 +315,7 @@
+ #endif
+ if (ioctl(pts, TIOCCONS, NULL) < 0) {
+ fprintf(stderr, "bootlogd: ioctl(%s, TIOCCONS): %s\n",
+- buf, strerror(errno));
++ console, strerror(errno));
+ return 1;
+ }
+
+@@ -384,8 +387,10 @@
+ * Perhaps we need to open the logfile.
+ */
+ if (fp == NULL && rotate && access(logfile, F_OK) == 0) {
+- sprintf(buf, "%s~", logfile);
+- rename(logfile, buf);
++ backfile = malloc(strlen(logfile) + 2);
++ if (!backfile) break;
++ sprintf(backfile, "%s~", logfile);
++ rename(logfile, backfile);
+ }
+ if (fp == NULL)
+ fp = fopen(logfile, "a");
+diff -ur sysvinit-2.78.orig/src/dowall.c sysvinit-2.78/src/dowall.c
+--- sysvinit-2.78.orig/src/dowall.c Tue Apr 20 01:10:10 1999
++++ sysvinit-2.78/src/dowall.c Tue Aug 8 06:50:06 2000
+@@ -90,7 +90,7 @@
+ if ((tty = ttyname(0)) != (char *)0) {
+ if (strncmp(tty, "/dev/", 5) == 0)
+ tty += 5;
+- sprintf(ttynm, "(%s) ", tty);
++ snprintf(ttynm, sizeof(ttynm), "(%s) ", tty);
+ } else
+ ttynm[0] = 0;
+ init++;
+@@ -105,7 +105,7 @@
+ *p = 0;
+
+ if (remote) {
+- sprintf(line,
++ snprintf(line, sizeof(line),
+ "\007\r\nRemote broadcast message %s...\r\n\r\n",
+ date);
+ } else {
+@@ -124,10 +124,14 @@
+ while ((utmp = getutent()) != NULL) {
+ if(utmp->ut_type != USER_PROCESS ||
+ utmp->ut_user[0] == 0) continue;
+- if (strncmp(utmp->ut_line, "/dev/", 5) == 0)
+- strcpy(term, utmp->ut_line);
+- else
+- sprintf(term, "/dev/%s", utmp->ut_line);
++/* AUDIT: is ut_line always NUL-terminated? This code will at least not
++ * overflow the buffer if not. */
++ if (strlen(utmp->ut_line) >= sizeof(term) - 5) continue;
++ if (strncmp(utmp->ut_line, "/dev/", 5) == 0) {
++ term[0] = '\0';
++ strncat(term, utmp->ut_line, sizeof(term) - 1);
++ } else
++ snprintf(term, sizeof(term), "/dev/%s", utmp->ut_line);
+
+ /*
+ * Sometimes the open/write hangs in spite of the O_NDELAY
+diff -ur sysvinit-2.78.orig/src/init.c sysvinit-2.78/src/init.c
+--- sysvinit-2.78.orig/src/init.c Fri Feb 11 14:17:02 2000
++++ sysvinit-2.78/src/init.c Tue Aug 8 08:07:37 2000
+@@ -70,6 +70,11 @@
+ # define SIGPWR SIGUSR2
+ #endif
+
++#ifdef __GNUC__
++__attribute__ ((format (printf, 2, 3)))
++#endif
++void log(int loglevel, char *s, ...);
++
+ /* Set a signal handler. */
+ #define SETSIG(sa, sig, fun, flags) \
+ do { \
+@@ -416,10 +421,11 @@
+ }
+
+ /*
+- * Set the process title. We do not check for overflow of
+- * the stack space since we know there is plenty for
+- * our needs and we'll never use more than 10 bytes anyway.
++ * Set the process title.
+ */
++#ifdef __GNUC__
++__attribute__ ((format (printf, 1, 2)))
++#endif
+ int setproctitle(char *fmt, ...)
+ {
+ va_list ap;
+@@ -429,7 +435,7 @@
+ buf[0] = 0;
+
+ va_start(ap, fmt);
+- len = vsprintf(buf, fmt, ap);
++ len = vsnprintf(buf, sizeof(buf), fmt, ap);
+ va_end(ap);
+
+ memset(argv0, 0, maxproclen + 1);
+@@ -728,6 +734,9 @@
+ /*
+ * Log something to a logfile and the console.
+ */
++#ifdef __GNUC__
++__attribute__ ((format (printf, 2, 3)))
++#endif
+ void log(int loglevel, char *s, ...)
+ {
+ va_list va_alist;
+@@ -742,7 +751,7 @@
+ * Re-etablish connection with syslogd every time.
+ */
+ openlog("init", 0, LOG_DAEMON);
+- syslog(LOG_INFO, buf);
++ syslog(LOG_INFO, "%s", buf);
+ /* closelog(); NOT needed with recent libc's. */
+ }
+
+@@ -856,6 +865,7 @@
+ } else {
+ /* Split up command line arguments */
+ strncpy(buf, proc, sizeof(buf) - 1);
++ buf[sizeof(buf) - 1] = '\0';
+ ptr = buf;
+ for(f = 1; f < 15; f++) {
+ /* Skip white space */
+@@ -1003,7 +1013,7 @@
+ #endif
+
+ if (pid == -1) {
+- log(L_VB, "cannot fork, retry..", NULL, NULL);
++ log(L_VB, "cannot fork, retry..");
+ do_sleep(5);
+ continue;
+ }
+diff -ur sysvinit-2.78.orig/src/killall5.c sysvinit-2.78/src/killall5.c
+--- sysvinit-2.78.orig/src/killall5.c Wed Oct 7 00:34:46 1998
++++ sysvinit-2.78/src/killall5.c Tue Aug 8 07:21:08 2000
+@@ -72,6 +72,9 @@
+ int scripts_too = 0;
+
+ char *progname; /* the name of the running program */
++#ifdef __GNUC__
++__attribute__ ((format (printf, 2, 3)))
++#endif
+ void nsyslog(int pri, char *fmt, ...);
+
+ /* Malloc space, barf if out of memory. */
+@@ -166,7 +169,7 @@
+ memset(p, 0, sizeof(PROC));
+
+ /* Open the statistics file. */
+- sprintf(path, "/proc/%s/stat", d->d_name);
++ snprintf(path, sizeof(path), "/proc/%s/stat", d->d_name);
+
+ /* Read SID & statname from it. */
+ if ((fp = fopen(path, "r")) != NULL) {
+@@ -211,7 +214,7 @@
+ }
+
+ /* Now read argv[0] */
+- sprintf(path, "/proc/%s/cmdline", d->d_name);
++ snprintf(path, sizeof(path), "/proc/%s/cmdline", d->d_name);
+ if ((fp = fopen(path, "r")) != NULL) {
+ f = 0;
+ while(f < 127 && (c = fgetc(fp)) != EOF && c) buf[f++] = c;
+@@ -234,7 +237,7 @@
+ }
+
+ /* Try to stat the executable. */
+- sprintf(path, "/proc/%s/exe", d->d_name);
++ snprintf(path, sizeof(path), "/proc/%s/exe", d->d_name);
+ if (stat(path, &st) == 0) {
+ p->dev = st.st_dev;
+ p->ino = st.st_ino;
+@@ -349,6 +352,9 @@
+ }
+
+ /* write to syslog file if not open terminal */
++#ifdef __GNUC__
++__attribute__ ((format (printf, 2, 3)))
++#endif
+ void nsyslog(int pri, char *fmt, ...)
+ {
+ va_list args;
+diff -ur sysvinit-2.78.orig/src/last.c sysvinit-2.78/src/last.c
+--- sysvinit-2.78.orig/src/last.c Wed Nov 24 15:24:53 1999
++++ sysvinit-2.78/src/last.c Tue Aug 8 07:39:02 2000
+@@ -31,6 +31,7 @@
+ #include <string.h>
+ #include <signal.h>
+ #include <getopt.h>
++#include <assert.h>
+ #include <netinet/in.h>
+ #include <netdb.h>
+ #include <arpa/inet.h>
+@@ -298,7 +299,7 @@
+ /*
+ * Lookup a host with DNS.
+ */
+-int dns_lookup(char *result, char *org, unsigned int ip)
++int dns_lookup(char *result, int size, char *org, unsigned int ip)
+ {
+ struct hostent *h;
+
+@@ -315,8 +316,8 @@
+ strcpy(result, inet_ntoa(*(struct in_addr *)&ip));
+ return 0;
+ }
+- strncpy(result, h->h_name, 256);
+- result[255] = 0;
++ result[0] = '\0';
++ strncat(result, h->h_name, size - 1);
+
+ return 0;
+ }
+@@ -396,11 +397,13 @@
+ break;
+ }
+
++ assert(UT_HOSTSIZE <= sizeof(domain));
++
+ /*
+ * Look up host with DNS if needed.
+ */
+ if (usedns)
+- dns_lookup(domain, p->ut_host, p->ut_addr);
++ dns_lookup(domain, sizeof(domain), p->ut_host, p->ut_addr);
+ if (useip) {
+ in.s_addr = p->ut_addr;
+ strcpy(domain, inet_ntoa(in));
+@@ -418,17 +421,20 @@
+ strcmp(s + 1, domainname) == 0) *s = 0;
+ #endif
+ if (!altlist) {
+- sprintf(final, "%-8.8s %-12.12s %-16.16s %-16.16s %-7.7s %-12.12s\n",
++ snprintf(final, sizeof(final),
++ "%-8.8s %-12.12s %-16.16s "
++ "%-16.16s %-7.7s %-12.12s\n",
+ p->ut_name, utline,
+ domain, logintime, logouttime, length);
+ } else {
+- sprintf(final,
++ snprintf(final, sizeof(final),
+ "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s %s\n",
+ p->ut_name, utline,
+ logintime, logouttime, length, domain);
+ }
+ } else
+- sprintf(final, "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s\n",
++ snprintf(final, sizeof(final),
++ "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s\n",
+ p->ut_name, utline,
+ logintime, logouttime, length);
+
+@@ -436,7 +442,7 @@
+ * Print out "final" string safely.
+ */
+ for (s = final; *s; s++) {
+- if (*s == '\n' || (*s >= 32 && (unsigned char)*s <= 128))
++ if (*s == '\n' || (*s >= 32 && (unsigned char)*s <= 126))
+ putchar(*s);
+ else
+ putchar('*');
+@@ -547,10 +553,11 @@
+
+ #if CHOP_DOMAIN
+ /* Find out domainname. */
+- (void) gethostname(hostname, 256);
++ (void) gethostname(hostname, sizeof(hostname));
+ if ((domainname = strchr(hostname, '.')) != NULL) domainname++;
+ if (domainname == NULL || domainname[0] == 0) {
+- (void) getdomainname(hostname, 256);
++ (void) getdomainname(hostname, sizeof(hostname));
++ hostname[sizeof(hostname) - 1] = '\0';
+ domainname = hostname;
+ if (strcmp(domainname, "(none)") == 0 || domainname[0] == 0)
+ domainname = NULL;
+diff -ur sysvinit-2.78.orig/src/shutdown.c sysvinit-2.78/src/shutdown.c
+--- sysvinit-2.78.orig/src/shutdown.c Sat Nov 13 19:39:01 1999
++++ sysvinit-2.78/src/shutdown.c Tue Aug 8 07:47:47 2000
+@@ -110,17 +110,19 @@
+ void warn(mins)
+ int mins;
+ {
+- char buf[MESSAGELEN + 64];
++ char buf[MESSAGELEN + sizeof(newstate)];
+ int len;
+
+- strcpy(buf, message);
++ buf[0] = '\0';
++ strncat(buf, message, sizeof(buf) - 1);
+ len = strlen(buf);
+
+ if (mins == 0)
+- sprintf(buf + len, "\rThe system is going down %s NOW !!\r\n",
++ snprintf(buf + len, sizeof(buf) - len,
++ "\rThe system is going down %s NOW !!\r\n",
+ newstate);
+ else
+- sprintf(buf + len,
++ snprintf(buf + len, sizeof(buf) - len,
+ "\rThe system is going DOWN %s in %d minute%s !!\r\n",
+ newstate, mins, mins == 1 ? "" : "s");
+ wall(buf, 1, 0);
+@@ -377,7 +379,8 @@
+
+ /* See if this is a user process on a VC. */
+ if (ut->ut_type != USER_PROCESS) continue;
+- sprintf(buf, "/dev/%s", ut->ut_line);
++ if (strlen(ut->ut_line) >= sizeof(buf) - 5) continue;
++ snprintf(buf, sizeof(buf), "/dev/%s", ut->ut_line);
+ if (stat(buf, &st) < 0) continue;
+ if ((st.st_rdev & 0xFFC0) != 0x0400) continue;
+
+diff -ur sysvinit-2.78.orig/src/wall.c sysvinit-2.78/src/wall.c
+--- sysvinit-2.78.orig/src/wall.c Tue Jul 28 15:22:56 1998
++++ sysvinit-2.78/src/wall.c Tue Aug 8 07:41:34 2000
+@@ -53,7 +53,7 @@
+ if ((argc - optind) > 0) {
+ for(f = optind; f < argc; f++) {
+ len += strlen(argv[f]) + 1;
+- if (len >= MAXLEN) break;
++ if (len >= MAXLEN - 2) break;
+ strcat(buf, argv[f]);
+ strcat(buf, " ");
+ }