----- Original Message ----- > On Wed, Dec 04, 2013 at 05:11:16PM -0600, Ian Pilcher wrote: > > On 12/04/2013 04:56 PM, Brendan Jones wrote: > > > Patching is not a problem. Unnecessary is the question. Explain to me > > > (not you in particular Rahul) how these printf's can possibly be > > > exploited? > > > > char *output; > > > > output = get_user_input(...); > > printf(output); > > > > What happens when the user enters %n? > > With -D_FORTIFY_SOURCE=2 the program is aborted, unless the string resides > in read-only memory ;) > While this response is likely meant to be a bit snarky, I'd like to explain this a bit more. The idea here is we have multiple layers of defense. We don't have to only worry about one technology. They fail from time to time, so you make sure you have a backup, and a backup of the backup, and so on. We never want to rely on one security technology to solve our problems, so we combine several. It also helps us future proof the code. Things can change in the future, by making wise decisions today we can avoid some pain tomorrow. There is also a bigger idea of making sure developers think about what they're doing. If you just smash out a "printf(foo)", you don't have to give the type of foo a second thought. The thinking is that if you add an extra step, it will hopefully remind the developer to think about what they're doing for a second (and hopefully prevent a bug). This is of course subjective, I can't prove it's the case. And lastly, while you can't execute arbitrary code with a %n these days (in theory), you can cause a denial-of-service, which often isn't ideal either. Thanks. -- Josh Bressers / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct