FTBFS if "-Werror=format-security" flag is used
Josh Bressers
bressers at redhat.com
Thu Dec 5 19:37:12 UTC 2013
----- Original Message -----
> On Wed, Dec 04, 2013 at 05:11:16PM -0600, Ian Pilcher wrote:
> > On 12/04/2013 04:56 PM, Brendan Jones wrote:
> > > Patching is not a problem. Unnecessary is the question. Explain to me
> > > (not you in particular Rahul) how these printf's can possibly be
> > > exploited?
> >
> > char *output;
> >
> > output = get_user_input(...);
> > printf(output);
> >
> > What happens when the user enters %n?
>
> With -D_FORTIFY_SOURCE=2 the program is aborted, unless the string resides
> in read-only memory ;)
>
While this response is likely meant to be a bit snarky, I'd like to explain
this a bit more.
The idea here is we have multiple layers of defense. We don't have to only
worry about one technology. They fail from time to time, so you make sure
you have a backup, and a backup of the backup, and so on. We never want to
rely on one security technology to solve our problems, so we combine
several.
It also helps us future proof the code. Things can change in the future, by
making wise decisions today we can avoid some pain tomorrow.
There is also a bigger idea of making sure developers think about what
they're doing. If you just smash out a "printf(foo)", you don't have to
give the type of foo a second thought. The thinking is that if you add an
extra step, it will hopefully remind the developer to think about what
they're doing for a second (and hopefully prevent a bug). This is of course
subjective, I can't prove it's the case.
And lastly, while you can't execute arbitrary code with a %n these days (in
theory), you can cause a denial-of-service, which often isn't ideal either.
Thanks.
--
Josh Bressers / Red Hat Product Security Team
More information about the devel
mailing list