On 2022/12/16 10:50, Vincent Lefevre wrote: > On 2022-12-15 18:56:15 -0700, Theo de Raadt wrote: > > There are almost no %n left in the software ecosystem. If we are able > > to make this crossing, everyone else is also capable, and eventually > > will. Just like with gets(). > > FYI, this breaks GMP, whose configure script insists on %n being > available, otherwise GMP uses its own, buggy implementation of > vsnprintf, which triggers an assertion failure when %a/%A is used > (and this bug affects MPFR). AFAIK, the GMP developers haven't > reacted to the bug report sent in October.
btw, that doesn't appear to affect the GMP port; the values passed in from ports infrastructure via config.cache override the autoconf check for %n (which appears to be trying to detect a bug in Solaris 2.7 on 64-bit SPARC). > BTW, if developers use an untrusted format string, then sprintf() > is unsafe too (possible buffer overflow), and at some point, > printf() too. > > -- > Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> > 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> > Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) >
