Bug#182277: Processed: glibc: Should print a warning when using (v)sprintf
Hello,
> Julien, you have to answer Matt Zimmerman's question:
> > gets() is _inherently_ insecure (there is no way to prevent it from
> > writing beyond the end of the buffer), and so it should never be used.
> > It is perfectly possible, however, to use sprintf and vsprintf securely,
> > and sometimes good (portability) reasons to do so.
> >
> > So this kind of warning is not appropriate for sprintf nor vsprintf.
It is true than snprintf and vsnprintf functions are not portable with some C
libraries (Digital OSF1 for example). But I also saw a lot of buffer overflow
with sprintf (in nparted for example). Probably a warning less violent like :
"Warning: the 'sprintf' is quite dangerous, 'snprintf' is preferable, see
documentation in ... for details"
will be better, with a text file explaining all details.
> I agree his opinion. Please tell me the reason.
> If you don't have any strong reasons, then only I close it.
>
> Moreover, how many programs are this warning affected?
Probably a lot.
Best Regards.
--
Julien LEMOINE / SpeedBlue
Reply to: