On Fri, Dec 16 2022, Vincent Lefevre wrote:
> On 2022-12-15 18:56:15 -0700, Theo de Raadt wrote:
>> There are almost no %n left in the software ecosystem. If we are able
>> to make this crossing, everyone else is also capable, and eventually
>> will. Just like with gets().
>
> FYI, this breaks
That could almost be an entry for calendars.openbsd
Dec 16 Vincent Lefevre arrives and tries to educate the OpenBSD developers
about format string vulnerabilities, which they have been fixing
since 1996
Vincent Lefevre wrote:
> On 2022-12-16 09:03:39 -0700, Theo de
On 2022-12-16 09:03:39 -0700, Theo de Raadt wrote:
> Vincent Lefevre wrote:
>
> > BTW, if developers use an untrusted format string, then sprintf()
> > is unsafe too (possible buffer overflow), and at some point,
> > printf() too.
>
> what are you trying to say?
According to
Vincent Lefevre wrote:
> BTW, if developers use an untrusted format string, then sprintf()
> is unsafe too (possible buffer overflow), and at some point,
> printf() too.
what are you trying to say?
are you trying to say everyone including you should review and audit and
re-audit all of them?
Well they need to respond, or openbsd ports needs a diff.
Vincent Lefevre wrote:
> On 2022-12-15 18:56:15 -0700, Theo de Raadt wrote:
> > There are almost no %n left in the software ecosystem. If we are able
> > to make this crossing, everyone else is also capable, and eventually
> > will.
On 2022/12/16 10:50, Vincent Lefevre wrote:
> On 2022-12-15 18:56:15 -0700, Theo de Raadt wrote:
> > There are almost no %n left in the software ecosystem. If we are able
> > to make this crossing, everyone else is also capable, and eventually
> > will. Just like with gets().
>
> FYI, this
On 2022-12-15 18:56:15 -0700, Theo de Raadt wrote:
> There are almost no %n left in the software ecosystem. If we are able
> to make this crossing, everyone else is also capable, and eventually
> will. Just like with gets().
FYI, this breaks GMP, whose configure script insists on %n being
This falls into the catagory of "bummer".
We will continue to break all applications that use %n, because we
haven't found a single use of %n is that is safe. and %n uses are
completely trivial to replace.
There are almost no %n left in the software ecosystem. If we are able
to make this