From owner-freebsd-doc Thu Jun 13 7:30:44 2002 Delivered-To: freebsd-doc@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 588B437B422 for ; Thu, 13 Jun 2002 07:30:05 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g5DEU5B09375; Thu, 13 Jun 2002 07:30:05 -0700 (PDT) (envelope-from gnats) Received: from lockdown.spectrum.fearmuffs.net (c164-147.pro.thalamus.se [212.31.164.147]) by hub.freebsd.org (Postfix) with ESMTP id 4F08837B403 for ; Thu, 13 Jun 2002 07:29:21 -0700 (PDT) Received: from lockdown.spectrum.fearmuffs.net (localhost.spectrum.fearmuffs.net [127.0.0.1]) by lockdown.spectrum.fearmuffs.net (8.12.3/8.12.3) with ESMTP id g5DE8OHF006355 for ; Thu, 13 Jun 2002 16:08:24 +0200 (CEST) (envelope-from redpixel@lockdown.spectrum.fearmuffs.net) Received: (from redpixel@localhost) by lockdown.spectrum.fearmuffs.net (8.12.3/8.12.3/Submit) id g5DE8Oik006354; Thu, 13 Jun 2002 16:08:24 +0200 (CEST) (envelope-from redpixel) Message-Id: <200206131408.g5DE8Oik006354@lockdown.spectrum.fearmuffs.net> Date: Thu, 13 Jun 2002 16:08:24 +0200 (CEST) From: Martin Faxer Reply-To: Martin Faxer To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: docs/39230: warn against format string attacks in the printf man page Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 39230 >Category: docs >Synopsis: warn against format string attacks in the printf man page >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 13 07:30:05 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Martin Faxer >Release: FreeBSD 5.0-CURRENT i386 >Organization: none >Environment: System: FreeBSD lockdown.spectrum.fearmuffs.net 5.0-CURRENT FreeBSD 5.0-CURRENT #9: Fri Jun 7 11:31:45 CEST 2002 redpixel@lockdown.spectrum.fearmuffs.net:/usr/obj/usr/src/sys/LOCKDOWN i386 >Description: the printf man page fails to inform the reader about the need to include a format string in the security considerations section of the man page. >How-To-Repeat: read the printf(3) man page >Fix: apply the patch below (the patch also makes the paragraph below a little bit clearer by stating that the sprintf() and vsprintf() functions are easily misused because of their lack of bounds checking.) --- printf.diff begins here --- Index: printf.3 =================================================================== RCS file: /home/ncvs/src/lib/libc/stdio/printf.3,v retrieving revision 1.38 diff -u -r1.38 printf.3 --- printf.3 9 Jan 2002 14:01:22 -0000 1.38 +++ printf.3 13 Jun 2002 13:59:56 -0000 @@ -690,12 +690,23 @@ .Ed .Sh SECURITY CONSIDERATIONS The +.Nm +family of functions take a +.Ar format +argument which is not to be left out, even if you are intending to +only print a single string. +Failure to include the +.Ar format +argument may lead to malicious users providing a specially +crafted format string to take control of the program. +.Pp +The .Fn sprintf and .Fn vsprintf -functions are easily misused in a manner which enables malicious users -to arbitrarily change a running program's functionality through -a buffer overflow attack. +functions lack bounds checking and are easily misused in a manner +which enables malicious users to arbitrarily change a running +program's functionality through a buffer overflow attack. (See the FSA and --- printf.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message