Well they need to respond, or openbsd ports needs a diff. Vincent Lefevre <vinc...@vinc17.net> wrote:
> On 2022-12-15 18:56:15 -0700, Theo de Raadt wrote: > > There are almost no %n left in the software ecosystem. If we are able > > to make this crossing, everyone else is also capable, and eventually > > will. Just like with gets(). > > FYI, this breaks GMP, whose configure script insists on %n being > available, otherwise GMP uses its own, buggy implementation of > vsnprintf, which triggers an assertion failure when %a/%A is used > (and this bug affects MPFR). AFAIK, the GMP developers haven't > reacted to the bug report sent in October. > > BTW, if developers use an untrusted format string, then sprintf() > is unsafe too (possible buffer overflow), and at some point, > printf() too. > > -- > Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> > 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> > Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)