Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: Bill Sommerfeld <firstname.lastname@example.org>
From: Todd Vierling <email@example.com>
Date: 09/11/2000 10:37:15
On Mon, 11 Sep 2000, Bill Sommerfeld wrote:
: All known non-denial-of-service format string exploits involve the use
: of the %n specifier, which pulls an argument out of the argument list,
: interprets it as an (int *), and stores the character count of the
: current output into it.
Given that it's required by SUSv2 and POSIX to be available at all times....
I could see a function provided to _disable_ it, not enable it. Any program
written to be suid shouldn't be trusting third-party format strings at all,
but if they do, then we coupld provide those programs with such a tool.
-- Todd Vierling <firstname.lastname@example.org> * http://www.wasabisystems.com/
-- Speed, stability, security, and support. Wasabi NetBSD: Run with it.