META file should have key:value lines but if the NIST NVD website is
down, instead of the META file, the page describing the site being down
is downloaded instead, which results in cve-check-update getting stuck
in a loop trying to process the invalid META file. This can also be
reproduced easily by tweaking a valid META file to have a colon (:) as
the first character in the file. fscanf fails match, and so doesn't
update the file pointer, and the loop doesn't break if there is no
match unless its EOF.
Fix by using fgets to get lines, and sscanf to parse them to keep file
pointer handling simple.
META file should have key:value lines but if the NIST NVD website is down, instead of the META file, the page describing the site being down is downloaded instead, which results in cve-check-update getting stuck in a loop trying to process the invalid META file. This can also be reproduced easily by tweaking a valid META file to have a colon (:) as the first character in the file. fscanf fails match, and so doesn't update the file pointer, and the loop doesn't break if there is no match unless its EOF.
Fix by using fgets to get lines, and sscanf to parse them to keep file pointer handling simple.