Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: None <tech-userlevel@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 09/11/2000 16:48:42
[ On Monday, September 11, 2000 at 15:45:58 (-0400), Bill Sommerfeld wrote: ]
> Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5 
>
> Fixing and issuing advisories for format string bugs may end up
> consuming a significant fraction of the security officer's bandwidth.
> 
> I'd like someone who's advocating keeping %n enabled by default to
> step forward and volunteer to handle fixing and issuing advisories for
> all current and future format-string security problems discovered in
> NetBSD and NetBSD packages.
> 
> Thanks.

Like Chris has said twice already, those bugs will exist with or without
'%n' (i.e. they already exist and are already very dangerous) and they
must be fixed anyway!

Sticking one's head in the sand and pretending the problem will go away
if you take '%n' support out of printf() et al is only making everyone's
job harder, including that of the NetBSD Security Officer, while at the
same time creating a non-standard implementation.

You may as well just do `rm $(locate printf)' and start rewriting
everything in an exclusively object-oriented language (i.e. not C++) if
you don't want to allow these kinds of bugs!  C might not have many
bells and whistles, but it sure does contain lots of handy rope and many
sharp edges -- it must always be used with care and understanding.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>