Bugtraq mailing list archives
Re: ftpd and setproctitle()
From: bernd.luevelsmeyer () HEITEC NET (Bernd Luevelsmeyer)
Date: Sat, 8 Jul 2000 00:50:29 +0200
D. J. Bernstein wrote: [...]
The solution is to eliminate the interface. Design a new interface that doesn't encourage bugs. Then make sure that everyone switches to the new interface. Advertise the new interface. Make the old interface more and more difficult to use. Move gets() to /usr/lib/libbugpronestandards.a.
[...] For this class of bugs, shouldn't it be possible to modify the compiler so it will flag any occurrence of a non-constant format string in printf()-like functions? I mean, an optional warning if the compiler can't determine the format string's contents at compile time. GCC has -Wformat already, which might be upgradeable; and there's __attribute__((format)) to mark printf-like functions. Even if user-written functions are not marked with the __attribute__, calls to functions in the compiler's library could at least be checked.
Current thread:
- ftpd and setproctitle() Theo de Raadt (Jul 06)
- Re: ftpd and setproctitle() Kris Kennaway (Jul 06)
- More Detailed Info on the BitchX Format Bugs RoboHak (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs RoboHak (Jul 09)
- opieftpd setproctitle() patches Kris Kennaway (Jul 10)
- Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability Ussr Labs (Jul 10)
- Security Update: Denial of Service against irc-BX Technical Support (Jul 07)
- Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies Lincoln Yeoh (Jul 08)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: ftpd and setproctitle() D. J. Bernstein (Jul 07)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- Re: ftpd and setproctitle() Firstname Lastname (Jul 10)
- BitchX update Vincent Danen (Jul 07)
- Re: ftpd and setproctitle() Pavel Kankovsky (Jul 08)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- ANNOUNCE: PScan, a simple security scanner. Alan DeKok (Jul 07)
- <Possible follow-ups>
- Re: ftpd and setproctitle() Roger Espel Llima (Jul 07)
- Re: ftpd and setproctitle() Adam McKenna (Jul 07)
- Security Update: symlink attack on makewhatis script possible Technical Support (Jul 07)
- Re: ftpd and setproctitle() Nic Bellamy (Jul 07)