Date: Thu, 13 Jun 2002 16:08:24 +0200 (CEST) From: Martin Faxer <gmh003532@brfmasthugget.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: docs/39230: warn against format string attacks in the printf man page Message-ID: <200206131408.g5DE8Oik006354@lockdown.spectrum.fearmuffs.net>
next in thread | raw e-mail | index | archive | help
>Number: 39230 >Category: docs >Synopsis: warn against format string attacks in the printf man page >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 13 07:30:05 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Martin Faxer >Release: FreeBSD 5.0-CURRENT i386 >Organization: none >Environment: System: FreeBSD lockdown.spectrum.fearmuffs.net 5.0-CURRENT FreeBSD 5.0-CURRENT #9: Fri Jun 7 11:31:45 CEST 2002 redpixel@lockdown.spectrum.fearmuffs.net:/usr/obj/usr/src/sys/LOCKDOWN i386 >Description: the printf man page fails to inform the reader about the need to include a format string in the security considerations section of the man page. >How-To-Repeat: read the printf(3) man page >Fix: apply the patch below (the patch also makes the paragraph below a little bit clearer by stating that the sprintf() and vsprintf() functions are easily misused because of their lack of bounds checking.) --- printf.diff begins here --- Index: printf.3 =================================================================== RCS file: /home/ncvs/src/lib/libc/stdio/printf.3,v retrieving revision 1.38 diff -u -r1.38 printf.3 --- printf.3 9 Jan 2002 14:01:22 -0000 1.38 +++ printf.3 13 Jun 2002 13:59:56 -0000 @@ -690,12 +690,23 @@ .Ed .Sh SECURITY CONSIDERATIONS The +.Nm +family of functions take a +.Ar format +argument which is not to be left out, even if you are intending to +only print a single string. +Failure to include the +.Ar format +argument may lead to malicious users providing a specially +crafted format string to take control of the program. +.Pp +The .Fn sprintf and .Fn vsprintf -functions are easily misused in a manner which enables malicious users -to arbitrarily change a running program's functionality through -a buffer overflow attack. +functions lack bounds checking and are easily misused in a manner +which enables malicious users to arbitrarily change a running +program's functionality through a buffer overflow attack. (See the FSA and --- printf.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206131408.g5DE8Oik006354>