[ On Monday, September 11, 2000 at 16:59:04 (-0400), Bill Sommerfeld wrote: ]
> Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5 
>
> I'm attempting to reduce the magnitude of the harm which can result
> from a bug of this form, from a total system compromise, to a mere
> denial of service.

I would hope that a denial-of-service type of bug, especially in any
set-{user,group}-id program, would result in an advisory being issued --
there's nothing "mere" about them in my mind!!!  However if the
consensus is that an advisory is not necessary then yes it would be
sensible to do something about '%n' and leave the rest for later
audits.

If something is to be done explicitly about '%n' then I personally would
prefer some sort of run-time checking since that's the only way to
really be able to catch them.  Perhaps the discovery of a '%n' in the
format string could be made to cause a warning to be logged, and perhaps
if the program is running with enhanced privileges to simply ignore the
'%n' too.  As for controlling it (i.e. to allow a programmer in the know
to disable the checks), well that really needs to be done on a per-call
basis.  I don't know how best to do this, other than having a global
variable that the programmer must set before every call and which will
be reset within the printf() core.  This would allow lazy and diligent
programmers to put a wrapper macro in their config.h to cover all calls,
of course, but every compromise has its drawbacks.

Unfortunately this is like having a caching nameserver log that someone
else's nameserver is lame for some domain you're trying to access --
you're telling all the wrong people, but maybe if you make enough noise
someone will eventually tell the people who can actually do something to
fix the real problem.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>