Bugtraq mailing list archives
Re: StackGuard with ... Re: [Paper] Format bugs.
From: mixter () 2XS CO IL
Date: Sun, 23 Jul 2000 20:41:35 +0300
The problem is that the functions using format strings should be secure by default, but they awfully fail to be. That IS an issue at the conceptual level, because the standards themselves allow something that can very easily open security holes. It is a bad idea to have any format functions accept format strings that aren't hard coded at compile time. All these functions need to have one format argument at one location, which definitely needs to be a hard-coded string, (using and enforcing const). Per definition, it is arguably possible to supply variable format strings in a program, but it is rarely practically used, and it shouldn't be practically used. At least, when supplying any format function a non-constant format argument, the compiler should spit out a big warning, and it should do that by default without warnings enabled. On Fri, 21 Jul 2000, Brett Glass wrote:
Which brings up a more interesting question: Don't these errors really reflect more fundamental problems in the development tools? It seems to me that the bugs arose because: 1) Format strings in the C libraries use a sort of "in-band signalling" -- that is, they can mix text with format designators. This means that passing the text you want to print as the format string produces results that appear to be correct. 2) The C language itself has no way of specifying a MINIMUM number of arguments for a function call. Had the compiler noted that setproctitle() and similar functions need at least two arguments, the mistakes would have been caught from the get-go. The latter problem can be solved by insisting upon the use of macros that mandate a minimum number of arguments and produce a warning or error message otherwise. The former requires changing the conventions used by the standard C libraries, which is probably infeasible. --Brett Glass At 03:52 PM 7/21/2000, Theo de Raadt wrote:There is no substitute, however, for a careful line-by-line audit of code.In my mind, there never was. When this came up, we (Todd Miller, Todd Fries, and I) did an audit on our source tree for the following cases *printf() err*() warn*() syslog() setproctitle() hand-made log()-style functions which end up calling v*() functions
Current thread:
- (New ?) Macro security hole in Word 97, (continued)
- (New ?) Macro security hole in Word 97 Bongard, Dominique (Jul 21)
- Re: (New ?) Macro security hole in Word 97 Bronek Kozicki (Jul 22)
- Jakarta-tomcat.../admin Scott Morris (Jul 21)
- StackGuard with ... Re: [Paper] Format bugs. Alan DeKok (Jul 21)
- [RHSA-2000:044-02] Updated PAM packages are available. bugzilla () REDHAT COM (Jul 21)
- Re: StackGuard with ... Re: [Paper] Format bugs. Theo de Raadt (Jul 21)
- Roxen security alert: Problems with URLs containing null characters. Peter Bortas (Jul 21)
- Re: StackGuard with ... Re: [Paper] Format bugs. Brett Glass (Jul 21)
- Re: StackGuard with ... Re: [Paper] Format bugs. Greg A. Woods (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Brett Glass (Jul 25)
- Re: StackGuard with ... Re: [Paper] Format bugs. mixter (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Linus Akesson (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Dan Harkless (Jul 25)
- Re: StackGuard with ... Re: [Paper] Format bugs. Valentin Nechayev (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Greg A. Woods (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Dick St.Peters (Jul 25)
- Re: StackGuard with ... Re: [Paper] Format bugs. Hannah Schröter (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Stephen J. Friedl (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Casper Dik (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. stanislav shalunov (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Daniel Jacobowitz (Jul 24)