Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: None <firstname.lastname@example.org>
From: Bill Sommerfeld <email@example.com>
Date: 09/11/2000 16:59:04
I am *NOT* sticking my head in the sand.
I'm attempting to reduce the magnitude of the harm which can result
from a bug of this form, from a total system compromise, to a mere
denial of service.
All bugs do not have the same severity. All security holes do not
have the same severity. All bugs are *not* security holes.
Format bugs still need to be fixed even if %n is disabled. They just
won't require security-officer handling because they won't be at the
level which requires issuing an advisory.