bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent glibc printf bug


From: Eric Blake
Subject: Re: recent glibc printf bug
Date: Thu, 24 Feb 2011 08:57:20 -0700
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Lightning/1.0b3pre Mnenhy/0.8.3 Thunderbird/3.1.7

On 02/24/2011 08:32 AM, Bruno Haible wrote:
> Hi Eric,
> 
>> Another glibc printf bug has been exposed and fixed:
>>
>> http://sourceware.org/bugzilla/show_bug.cgi?id=12445
>>
>> Should our *printf-posix modules be testing for and working around this
>> issue?
> 
> Based on the expected frequency of the bug - it affects only format strings
> with more than 31 format directives -, I would say no.

I might be okay with a compromise - document the glibc bug and that
printf-posix doesn't fix it, because the likelihood of the developer
intentionally passing a string with 31 format directives is slim (does
anyone ever pass a gettext string with that many format directives?).

The bug appears to only affect positional directives (%1$s) and not
traditional directives (%s).  Most printf format strings are known at
compile time, and the remaining few that pass through arbitrary formats
from the user (programs like coreutils' printf or seq) tend to use
traditional rather than positional parameters, so I think they are
immune.  That is, I don't know if any gnulib clients would benefit from
the extra enforcement, if it's easy enough to avoid the problematic
format strings in the first place.

> But the effect of
> writing wrong data to the stack could be abused for security relevant 
> exploits,
> so I would say yes.

Can gettext() ever return a translation that exploits the bug, by
abusing positional directives to have more directives than the original
format string being translated?  Maybe gettext needs to sanitize
translated strings to ensure that translators can't inject the bug?

-- 
Eric Blake   address@hidden    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]