[16787] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Sep 15 12:58:47 2000
Message-Id: <200009150715.JAA23740@romulus.Holland.Sun.COM>
Date: Fri, 15 Sep 2000 09:15:45 +0200
Reply-To: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
From: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
X-To: Dan Astoorian <djast@CS.TORONTO.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 13 Sep 2000 13:29:45 EDT."
<00Sep13.132949edt.453134-2358@jane.cs.toronto.edu>
>Note that perror() itself may perform localization on some platforms and
>under some circumstances (e.g., if compiled with -lintl under Solaris).
perror() is always localized; -lintl isn't an actual library since
Solaris 2.5 when it was merged into libc.
>I don't know whether it's exploitable in practice, but it appears to me
>as though this wrapper could suffer, at least theoretically, from the
>same weakness as the programs it's trying to protect.
That one isn't; no printf is involved in perror().
(It's gettext(strerror(errno)) written with write)
Of course, there are two other gaping holes in the wrapper, so
that point is a bit moot.
asper
