From owner-freebsd-hackers Thu Sep 7 20:57:11 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8868037B422; Thu, 7 Sep 2000 20:57:07 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA73640; Thu, 7 Sep 2000 20:57:07 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 20:57:07 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: John Doh! , security@FreeBSD.org, hackers@FreeBSD.org Subject: Re: How to stop problems from printf In-Reply-To: <200009080352.VAA51001@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 7 Sep 2000, Warner Losh wrote: > In message Kris Kennaway writes: > : gettext() doesnt take any additional arguments, AFAIK it just munges the > : string. The argument substitution was being done by printf() in the > : example given. > > Right. You know how many args are expected, since you know printf. > > : The only possibilities I immediately see are: > : > : 1) Don't do that (look up in untrusted catalogs) > : > : 2) Write a vgettext(char *buf, int size, const char *fmt...) which a) > : looks up the message in the catalog, b) verifies the returned string has > : the same number and type of format strings, and c) substitutes the > : arguments passed to it using vsnprintf() into the passed buffer. The > : resulting string should then be handled using function("%s", buf) to deal > : with escaped format strings ("%%s" which would be parsed to %s by the > : vsnprintf()). I don't think you can do it securely otherwise, unless I'm > : missing something. > : > : The problem is that you want gettext to substitute arguments into the > : string, but it doesn't do that, and the string it returns has an unknown > : number of format strings so it's not safe to use in a varargs function. > > 3) figure out how many args a string needs and forbid strings with > more than that in them. It knows from the original number of > % args, can apply the printf rules. It would be trivial to write > one function to do must of this. You get the number of args in the > key, you get the number of args in the new string using the same > routine. If the two numbers aren't equal, you return the original > key string, or abort. It also needs to check they are all of the same type, as changing a %d to a %s for example could conceivably be exploitable. And you would have to forbid escaped % characters as well. Yeah, I think that would be doable. We probably should talk to the gnu gettext guys. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message