Eric Blake wrote:
> > But the effect of
> > writing wrong data to the stack could be abused for security relevant
> > exploits,
> > so I would say yes.
>
> Can gettext() ever return a translation that exploits the bug, by
> abusing positional directives to have more directives than the original
> format string being translated? Maybe gettext needs to sanitize
> translated strings to ensure that translators can't inject the bug?
Applications can use various means to fetch a "computed" format string from
somewhere, not only through gettext().
But indeed gettext() will not prohibit a maliciously constructed format string
from being returned:
1. While 'msgfmt -c' does verify the translations of format strings, people
can create .mo files that they didn't create with 'msgfmt -c'.
2. The verification done by 'msgfmt -c' ensures that the translation consumes
the same number and the same kind of arguments as the original string,
but the translator is free to insert as many '%%' directives in the string
as he likes. And for this bug, it's the total number of directives that
matters.
Bruno
--
In memoriam Mario Manuel de la Peña <http://www.directorio.org/mario.htm>
