Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: Bill Sommerfeld <>
From: Todd Vierling <>
List: tech-userlevel
Date: 09/11/2000 10:37:15
On Mon, 11 Sep 2000, Bill Sommerfeld wrote:

: All known non-denial-of-service format string exploits involve the use
: of the %n specifier, which pulls an argument out of the argument list,
: interprets it as an (int *), and stores the character count of the
: current output into it.  

Given that it's required by SUSv2 and POSIX to be available at all times....

I could see a function provided to _disable_ it, not enable it.  Any program
written to be suid shouldn't be trusting third-party format strings at all,
but if they do, then we coupld provide those programs with such a tool.

-- Todd Vierling <>  *
-- Speed, stability, security, and support.  Wasabi NetBSD:  Run with it.