Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: None <sommerfeld@orchard.arlington.ma.us, tech-userlevel@netbsd.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-userlevel
Date: 09/14/2000 23:35:28
On Feb 1,  4:40am, Bill Sommerfeld wrote:
}
} As many of you are well aware, there have been a recent spate of
} security vulnerabilities discovered as a result of applications
} allowing untrusted data to end up as a format string.
} 
} All known non-denial-of-service format string exploits involve the use
} of the %n specifier, which pulls an argument out of the argument list,
} interprets it as an (int *), and stores the character count of the
} current output into it.  
} 
} [snip]
} 
} Because it is used so infrequently, I'd like to *disable* the %n
} format in userland by default.  If a %n format is encountered when the

<AOL>
     I agree with all the other posters, this is an extremely dumb idea
for all the same reasons that they gave.
</AOL>

     What are you going to do next, disable strcpy, strcat, sprintf,
etc.  because the misuse of them leads to buffer overflow attacks?

     BTW, see my comment to Luke about NetBSD being about doing the
right thing, not the convenient thing.  This would definitely be the
wrong thing to do.

}-- End of excerpt from Bill Sommerfeld