> It is fundamentally unsafe to pass user data as the format string to
> printf.  %n may make this exploitable in a way that can set a value in
> the program, but the fundamental issue is still there and should be
> addressed by fixing the issue, not by band-aiding printf() et al. in a
> non-standard way.

%n allows a error which would otherwise allow for a *read* of an
arbitrary address (and likely program-terminating core dump) into one
which allows arbitrary writes into arbitrary locations, allowing
complete subversion of program behavior.

program-crashing denials of service are significantly less severe than
holes which allow an attacker to patch an arbitrary location to an
arbitrary value and/or execute arbitrary code.

I have no objection to continuing to support %n in
compile-time-constant format strings, as long as we're protected from
%n exploits in run-time variable format strings.

					- Bill