Re: bin/59836: 11.0_BETA: resolvconf fails with 'eval: make_vars: IP_OF_2ND_DNS: not found' for more than 1 dns server

["Henryk Paluch via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR bin/59836; it has been noted by GNATS.

From: Henryk Paluch <hpaluch%seznam.cz@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: roy%NetBSD.org@localhost
Subject: Re: bin/59836: 11.0_BETA: resolvconf fails with 'eval: make_vars:
 IP_OF_2ND_DNS: not found' for more than 1 dns server
Date: Mon, 15 Dec 2025 09:50:22 +0100

 On 12/15/25 08:23, Roy Marples wrote:
 > And does that commit now fix it for you?
 > 
 > 
 > Roy
 
 Yes, it works, but it introduced new potential security bug, because it 
 now passes untrusted user data ($NAMESERVERS) as format string to 
 printf(1) - which is generally dangerous, because attacker could add 
 something like '%s' (or any other '%' argument) changing printf(1) 
 behavior in unexpected way. What I mean:
 
 From: 
 https://github.com/NetBSD/src/commit/025246054c2b2ce5d47c2d8943b71d93a4a0fb19
 
 Original line used printf properly (format string is constant and 
 defined by script - no external user data involved):
 
    printf '%s\n' "NAMESERVERS=\"\$NAMESERVERS \"$ns"
 
 
 But fixed lines passes (untrusted) user data as format string which 
 opens potential to attacks (user can pass '%something' changing behavior 
 of printf(1) command):
 
    printf 'NAMESERVERS="$NAMESERVERS "%s\n' "$(quote "$ns")"
 
 
 As general recommendation - 1st argument of printf(1) - format string 
 should never contain external (untrusted) data to avoid unexpected behavior.