Bug#182277: Processed: glibc: Should print a warning when using (v)sprintf

To: GOTO Masanori <gotom@debian.or.jp>, GNU Libc Maintainers <debian-glibc@lists.debian.org>(glibc #182277), 182277@bugs.debian.org, chris@debian.org (Christopher C. Chimelis) (binutils #182277), Matt Zimmerman <mdz@debian.org>, Alexander Hvostov <alex@aoi.dyndns.org>, Phil Edwards <phil@jaj.com>
Subject: Bug#182277: Processed: glibc: Should print a warning when using (v)sprintf
From: Julien LEMOINE <speedblue@debian.org>
Date: Wed, 16 Apr 2003 12:31:21 +0200
Message-id: <[🔎] 200304161231.21485.speedblue@debian.org>
Reply-to: Julien LEMOINE <speedblue@debian.org>, 182277@bugs.debian.org
In-reply-to: <[🔎] 8065pe50qq.wl@oris.opensource.jp>
References: <200304150339.49811.speedblue@debian.org> <[🔎] handler.s.C.105037082424331.transcript@bugs.debian.org> <[🔎] 8065pe50qq.wl@oris.opensource.jp>

Hello,

> Julien, you have to answer Matt Zimmerman's question:
> > gets() is _inherently_ insecure (there is no way to prevent it from
> > writing beyond the end of the buffer), and so it should never be used. 
> > It is perfectly possible, however, to use sprintf and vsprintf securely,
> > and sometimes good (portability) reasons to do so.
> >
> > So this kind of warning is not appropriate for sprintf nor vsprintf.

It is true than snprintf and vsnprintf functions are not portable with some C 
libraries (Digital OSF1 for example). But I also saw a lot of buffer overflow 
with sprintf (in nparted for example). Probably a warning less violent like : 
"Warning: the 'sprintf' is quite dangerous, 'snprintf' is preferable, see 
documentation in ... for details"
will be better, with a text file explaining all details.

> I agree his opinion.  Please tell me the reason.
> If you don't have any strong reasons, then only I close it.
>
> Moreover, how many programs are this warning affected?
Probably a lot.

Best Regards.
-- 
Julien LEMOINE / SpeedBlue

Reply to:

Follow-Ups:
- Re: Processed: glibc: Should print a warning when using (v)sprintf
  - From: GOTO Masanori <gotom@debian.or.jp>

References:
- Processed: glibc: Should print a warning when using (v)sprintf
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Re: Processed: glibc: Should print a warning when using (v)sprintf
  - From: GOTO Masanori <gotom@debian.or.jp>

Prev by Date: Re: Processed: glibc: Should print a warning when using (v)sprintf
Next by Date: Bug#189011: libc6: Change ENOSPC 28 to /* No space or inodes left on device */
Previous by thread: Re: Processed: glibc: Should print a warning when using (v)sprintf
Next by thread: Re: Processed: glibc: Should print a warning when using (v)sprintf
Index(es):
- Date
- Thread