That could almost be an entry for calendars.openbsd
Dec 16 Vincent Lefevre arrives and tries to educate the OpenBSD developers
about format string vulnerabilities, which they have been fixing
since 1996
Vincent Lefevre <vinc...@vinc17.net> wrote:
> On 2022-12-16 09:03:39 -0700, Theo de Raadt wrote:
> > Vincent Lefevre <vinc...@vinc17.net> wrote:
> >
> > > BTW, if developers use an untrusted format string, then sprintf()
> > > is unsafe too (possible buffer overflow), and at some point,
> > > printf() too.
> >
> > what are you trying to say?
>
> According to
>
> https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2834.htm
>
> it has been proposed to deprecate %n mainly because:
>
> If the format argument of a printf-style-function originates from an
> unverified source an attacker may be able to write arbitrary values
> to the stack.
>
> But I'm saying that from this point of view, sprintf() is unsafe too,
> actually much more unsafe. Something like %n injection in the format
> argument can easily be detected (actually any injection of a format
> specifier). For instance, if someone writes
>
> printf (buf);
>
> assuming that the string buf will be output, where buf has untrusted
> contents, then if buf contains %n, the number of arguments will be
> incorrect, so that this can be detected at run time (ditto if printf
> has arguments that correspond to a trusted part of buf). However,
> with
>
> sprintf (s, buf);
>
> (rather than using snprintf), even if the number of arguments is
> checked to be correct, there could still be a buffer overflow with
> an untrusted buf.
>
> It's a pity that N2834 doesn't give real-world examples of insecure
> use of %n, in particular ones that could not be possible to detect
> at run time.
>
> --
> Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
