From owner-freebsd-hackers  Thu Sep  7 20:21:19 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9FB2437B42C; Thu,  7 Sep 2000 20:21:15 -0700 (PDT)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA69687;
	Thu, 7 Sep 2000 20:21:15 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Thu, 7 Sep 2000 20:21:15 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Warner Losh <imp@village.org>
Cc: John Doh! <johndoh_@hotmail.com>, security@FreeBSD.ORG,
	hackers@FreeBSD.ORG
Subject: Re: How to stop problems from printf 
In-Reply-To: <200009080259.UAA50393@harmony.village.org>
Message-ID: <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 7 Sep 2000, Warner Losh wrote:

> In message <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com> "John Doh!" writes:
> : Issue is must be getting format string from "untrusted" place, but want to 
> : limit substitution of %... to the substitution of say in example the 
> : argv[0], but to not do others so that say given "usage: %s filename %p" %p 
> : not interpret but to be print instead as literally so we get output of 
> : (saying to be argv[0] as test just for example) usage: test filename %p
> : 
> : any hints you have I am very greatful for.
> 
> Fix gettext to only allow N arguments in the same order that the
> original message had.

gettext() doesnt take any additional arguments, AFAIK it just munges the
string. The argument substitution was being done by printf() in the
example given.

"usage: %s filename" -> "blurgle: %s flobodob"

But if you're looking up in an untrusted catalog, then it could return

"blurgle: %s flobodob %n%n%n%n%n" in which case your function might be
insecure.

The only possibilities I immediately see are:

1) Don't do that (look up in untrusted catalogs)

2) Write a vgettext(char *buf, int size, const char *fmt...) which a)
looks up the message in the catalog, b) verifies the returned string has
the same number and type of format strings, and c) substitutes the
arguments passed to it using vsnprintf() into the passed buffer. The
resulting string should then be handled using function("%s", buf) to deal
with escaped format strings ("%%s" which would be parsed to %s by the
vsnprintf()). I don't think you can do it securely otherwise, unless I'm
missing something.

The problem is that you want gettext to substitute arguments into the
string, but it doesn't do that, and the string it returns has an unknown
number of format strings so it's not safe to use in a varargs function.

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message