Jim Meyering wrote:
> But disallowing %n in a writable format string does
> protect applications from an entire class of exploits.
> That is worth more than enough to compensate for the minor limitation.
Two remarks:
* The %n has to serve as a scapegoat here. The exploit in [1] is a
combination of
1. a runtime system that allows modifications of arbitrary memory
locations without the concept of compartments inside the memory
of a process (C combined with the Unix memory model),
2. a user-provided string that is used as a format string,
3. a format directive that causes a write into memory.
#1 is the real root of so many security issues, but its solution is
out of scope here.
#2 is the cause of this particular issue. #3 is not an issue by itself.
So why don't people think more about how to fix #2?
2) Does it have to be done through abort()? Can't it be silent like on
Windows Vista? IMO, library functions should not crash a program when
the input is standards-compliant.
> BTW, this problem was also encountered last year by CVS developers.
I must have missed that, sorry.
Bruno
[1] http://seclists.org/bugtraq/1999/Sep/0328.html
