Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: None <sommerfeld@orchard.arlington.ma.us>
From: James Chacon <jchacon@genuity.net>
List: tech-userlevel
Date: 09/13/2000 10:45:08
>
>I am *NOT* sticking my head in the sand.
>
>I'm attempting to reduce the magnitude of the harm which can result
>from a bug of this form, from a total system compromise, to a mere
>denial of service.
This logic makes no sense though in the larger context. Using this idea
then gets() should have simply been removed as well from the library years
ago as it's abuse can cause system compromises. As Chris points out multiple
times, sprintf would have to get treated the same way.
If we disable everything that someone can incorrectly code which can cause
a system compromise then go ahead and turn off the networking code. Any
incorrect coding around that in general allows compromises. Let's turn off
setuid as well and we should be covered. Of course it's no longer a unix
system or anything close to standards complance but that's simpler then just
fixing the code...
At what point do you step back and fix the underlying problem in each
case (i.e. someone coded something wrong) vs. applying the world's largest
band-aid?
James