On Sat, 11 May 2002, Bill Sommerfeld wrote:

> > If so, that doesn't seem like a good thing for everyone else on the
> > Internet...
>
> So, sorry to disappoint you, but we all have limited time.
>
> Shortly after the general class of "format string vulnerabilities"
> became known, I did a sweep through the NetBSD sources with the aid of
> an enhanced gcc -Wformat check (the very concept of which was rejected
> by a gcc type, go figure -- one of several people who needlessly made
> this effort more difficult).
>
> I found *several hundred* cases where variable strings were passed as
> the format parameter argument for one of the printf-like functions.

This is the sweep that just made NetBSD 1.4.3, right?

> In the interest of doing this as quickly as possible, I did not stop
> to analyze which of these particular coding errors were "exploitable".

Maybe we should have a blanket SA, saying all systems older than
NetBSD 1.4.3 *may* *have* exploitable format strings errors? What
bothers me, is that people are still evidently obtaining a 1.4.1 CD,
loading it up, putting the machine on the internet and filing PR's,
or posting to news, unaware that there's anything wrong.

Frederick