Vulnerability Development mailing list archives
Re: About the format bugs thread...
From: 11a () GMX NET (Bluefish)
Date: Tue, 11 Jul 2000 23:33:00 +0200
Yesterday I was thinking about the format bugs thread, and... Isn't the problem solved if I use a fixed version of the *printf family ? I mean, so many new vulnerabilities regarding to this problem, when the REAL fix is so easy. Why should we patch every new program, when it is enough to patch the *printf functions.
The "formating bugs" are not a bug in printf, it's a really, really bad example of how bad programming. When I first heard of it, I didn't understand the issue. Neither did our moderator, Blue Boar. And I tried to explain it to some friends of mine, and it took a while. Was it hard to understand how it works? no. But it was pretty hard to grasp that such silly coding actually exists. (I assume the coders didn't drink their coffee ;) There is hardly a need for fixing printf because of this bug. Just about every programming book on C explains how printf works. If you don't use the function in the way you're supposed to, you get what you do; weirdness. I don't think printf is bug-prone. Although I like java and other languages with a civilized string handling, printf isn't a problem. But several other parts of C are ;)
Maybe the problem is some POSIX or ANSI C standar that doesn't allow changes in *printf family, or something like that... ?
printf(somethingtheusersentme) is a rather undocumented feature which I really would NOT call ANSI-C complaint code. printf is powerfull because it is really simple to (among other things) create multi-language code with it. That's a good reason to let it remain as it is. All you need to do to be safe is to simply use printf("%s",somethingtheusersentme) ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: default password list (BIOS Master Passwords) Nathan Einwechter (Jul 04)
- Re: default password list (BIOS Master Passwords) Bluefish (Jul 05)
- About the format bugs thread... TeeSPy (Jul 09)
- Re: About the format bugs thread... Bluefish (Jul 11)
- Re: default password list (3Com switches) Luis Pinto (Jul 10)
- Re: default password list (3Com switches) Tymm Twillman (Jul 10)
- (no subject) C.O.Too (Jul 13)
- <Possible follow-ups>
- Re: default password list (BIOS Master Passwords) appie k. (Jul 05)