tags 182277 - security thanks On Mon, Feb 24, 2003 at 12:28:44AM -0800, Alexander Hvostov wrote:
> Package: gcc-3.2 > Version: 1:3.2.3-0pre1 > Severity: normal > Tags: security > > As noted in the corresponding man page, the 'sprintf' and 'vsprintf' > functions are > insecure, and should not be used. I suggest that gcc print a warning when > compiling > code in which they are used, as it already does with 'gets' (also insecure). gets() is _inherently_ insecure (there is no way to prevent it from writing beyond the end of the buffer), and so it should never be used. It is perfectly possible, however, to use sprintf and vsprintf securely, and sometimes good (portability) reasons to do so. So this kind of warning is not appropriate for sprintf nor vsprintf. -- - mdz
