> This is a good find and I see two fairly straight forward ways to deal
> with the bug:
>
> 1. We can drop the new -f flag. This is a little inconvenient for some
> users, but immediately plugs the hole.
>
That's an option, even if it would break existing scripts which use -f,
if any. Probably worth applying to plug the hole immediately, yes.
> 2. We can write our own print function that will not crash or give
> weird behaviour the way printf() does. Right now I'm leaning toward
> the latter option. It's a little more work, but probably a nicer fix
> for everyone in the long run.
>
I fear that it's much more that little work. Probably it's easier to
just sanitize the input.
The following code forbids strings containing "%s" or two "%", yet
allowing "%%" which is a valid escape to print a percent sign.
int unsafe_str(char *str)
{
int found = 0;
char *ptr = str;
while ((ptr = index(ptr, '%'))) {
if (ptr[1] == 's')
return 1;
if (ptr[1] == '%') {
ptr += 2;
continue;
}
if (found)
return 1;
found = 1;
ptr++;
}
return 0;
}
The sanitizer is incomplete tough, the error can still be exploited by
adding a modifier to "%s" (like "% s" or "%.*s"), or using the
Single UNIX Specification syntax wich allows to pick the
Nth argument with %Nd, like "%1000000$d".
Regards,
--
Matteo Croce
per aspera ad upstream
