Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.

To: Alexander Hvostov <alex@aoi.dyndns.org>, 182277@bugs.debian.org
Subject: Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 24 Feb 2003 09:33:48 -0500
Message-id: <[🔎] 20030224143348.GP485@alcor.net>
Reply-to: Matt Zimmerman <mdz@debian.org>, 182277@bugs.debian.org
In-reply-to: <[🔎] 20030224082844.A77D4490168@aoi.dyndns.org>
References: <[🔎] 20030224082844.A77D4490168@aoi.dyndns.org>

tags 182277 - security
thanks

On Mon, Feb 24, 2003 at 12:28:44AM -0800, Alexander Hvostov wrote:

> Package: gcc-3.2
> Version: 1:3.2.3-0pre1
> Severity: normal
> Tags: security
> 
> As noted in the corresponding man page, the 'sprintf' and 'vsprintf' functions are
> insecure, and should not be used. I suggest that gcc print a warning when compiling
> code in which they are used, as it already does with 'gets' (also insecure).

gets() is _inherently_ insecure (there is no way to prevent it from writing
beyond the end of the buffer), and so it should never be used.  It is
perfectly possible, however, to use sprintf and vsprintf securely, and
sometimes good (portability) reasons to do so.

So this kind of warning is not appropriate for sprintf nor vsprintf.

-- 
 - mdz

Reply to:

Follow-Ups:
- Processed: Re: Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.
  - From: Alexander Hvostov <alex@aoi.dyndns.org>

Prev by Date: Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.
Next by Date: Processed: Re: Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.
Previous by thread: Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.
Next by thread: Processed: Re: Bug#182277: gcc-3.2: Should print a warning when using (v)sprintf.
Index(es):
- Date
- Thread