[16] in Best-of-Security
BoS: Re: Solaris2 libc/getopt bug
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Feb 6 01:53:06 1997
Date: Wed, 5 Feb 1997 13:47:29 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
In-Reply-To: Your message of "Wed, 29 Jan 1997 16:39:23 CST."
<199701292239.QAA00929@netman.eng.auburn.edu>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
>Does anybody have source for a suitable replacement getopt.c?
>The Solaris2.5.1 version (at least) has a symbol _sp which seems
>to be needed by several other system installed binaries. So far,
>I've been unable to determine what this symbol is used for. If
>somebody already has a suitable C source, I'm sure there are several
>that would benefit if it were posted here. I'm not expecting
>Sun to release a patch for a couple of weeks.
Well, here's another workaround.
The problem with getopt is in the error message that is printed by default
when an option error is discovered.
You can suppress this error by setting "opterr", a global libc variable to 0.
So what is simpler than this:
adb -w /lib/libc.so.1
opterr?W0
opterr: 0x1 = 0x0
Con:
you won't get any "... : illegal option -- z" messages anymore.
(but programs typically print a usage afterwards)
Pro:
You won't overflow buffers.
I don't think many programs will have "opterr = 1 as that is the default.
Casper
