On 2022-12-15 18:56:15 -0700, Theo de Raadt wrote: > There are almost no %n left in the software ecosystem. If we are able > to make this crossing, everyone else is also capable, and eventually > will. Just like with gets().
FYI, this breaks GMP, whose configure script insists on %n being available, otherwise GMP uses its own, buggy implementation of vsnprintf, which triggers an assertion failure when %a/%A is used (and this bug affects MPFR). AFAIK, the GMP developers haven't reacted to the bug report sent in October. BTW, if developers use an untrusted format string, then sprintf() is unsafe too (possible buffer overflow), and at some point, printf() too. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
