On 02/24/2011 08:32 AM, Bruno Haible wrote: > Hi Eric, > >> Another glibc printf bug has been exposed and fixed: >> >> http://sourceware.org/bugzilla/show_bug.cgi?id=12445 >> >> Should our *printf-posix modules be testing for and working around this >> issue? > > Based on the expected frequency of the bug - it affects only format strings > with more than 31 format directives -, I would say no.
I might be okay with a compromise - document the glibc bug and that printf-posix doesn't fix it, because the likelihood of the developer intentionally passing a string with 31 format directives is slim (does anyone ever pass a gettext string with that many format directives?). The bug appears to only affect positional directives (%1$s) and not traditional directives (%s). Most printf format strings are known at compile time, and the remaining few that pass through arbitrary formats from the user (programs like coreutils' printf or seq) tend to use traditional rather than positional parameters, so I think they are immune. That is, I don't know if any gnulib clients would benefit from the extra enforcement, if it's easy enough to avoid the problematic format strings in the first place. > But the effect of > writing wrong data to the stack could be abused for security relevant > exploits, > so I would say yes. Can gettext() ever return a translation that exploits the bug, by abusing positional directives to have more directives than the original format string being translated? Maybe gettext needs to sanitize translated strings to ensure that translators can't inject the bug? -- Eric Blake [email protected] +1-801-349-2682 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
