On Thu, Dec 5, 2013 at 12:11 AM, Brendan Jones <brendan.jones.it@xxxxxxxxx> wrote: > On 12/05/2013 12:11 AM, Ian Pilcher wrote: >> >> On 12/04/2013 04:56 PM, Brendan Jones wrote: >>> >>> Patching is not a problem. Unnecessary is the question. Explain to me >>> (not you in particular Rahul) how these printf's can possibly be >>> exploited? >> >> >> char *output; >> >> output = get_user_input(...); >> printf(output); >> >> What happens when the user enters %n? >> > I remain unconvinced. Exploit my system with one of ams, aubio, hydrogen, > jack-keyboard, phasex, portmidi or yoshimi. > > I just can't see it Suppose I create a malicious drumkit and either get it uploaded to one of the officially recommended links at http://www.hydrogen-music.org/hcms/node/16 , or even just attach it in bugzilla to a bug report saying that the Fedora hydrogen package crashes or otherwise mishandles that file (causing _you_ personally to open that file, even if in a debugger)? Note that I _don't really know_ whether this is exploitable with hydrogen; though the incorrect format strings being in a class named Object does suggest that the affected input paths may be pretty widespread. Even if this weren't a security issue (or it were already mitigated by _FORTIFY_SOURCE), it's a simple correctness issue: the program's output should be correct, and the program should not abort just because "100%new" happens to appear in a string. As long as it it's worth it to have software packaged in Fedora it's not "unnecessary" to fix bugs IMHO. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
