Re: Processed: glibc: Should print a warning when using (v)sprintf

To: Julien LEMOINE <speedblue@debian.org>
Cc: GOTO Masanori <gotom@debian.or.jp>, GNU Libc Maintainers <debian-glibc@lists.debian.org>(glibc #182277), 182277@bugs.debian.org, chris@debian.org (Christopher C. Chimelis) (binutils #182277), Matt Zimmerman <mdz@debian.org>, Alexander Hvostov <alex@aoi.dyndns.org>, Phil Edwards <phil@jaj.com>
Subject: Re: Processed: glibc: Should print a warning when using (v)sprintf
From: GOTO Masanori <gotom@debian.or.jp>
Date: Sat, 19 Apr 2003 21:30:41 +0900
Message-id: <[🔎] 80u1cu3c0e.wl@oris.opensource.jp>
In-reply-to: <[🔎] 200304161231.21485.speedblue@debian.org>
References: <200304150339.49811.speedblue@debian.org> <[🔎] handler.s.C.105037082424331.transcript@bugs.debian.org> <[🔎] 8065pe50qq.wl@oris.opensource.jp> <[🔎] 200304161231.21485.speedblue@debian.org>

Hi,

At Wed, 16 Apr 2003 12:31:21 +0200,
Julien LEMOINE wrote:
> > Julien, you have to answer Matt Zimmerman's question:
> > > gets() is _inherently_ insecure (there is no way to prevent it from
> > > writing beyond the end of the buffer), and so it should never be used. 
> > > It is perfectly possible, however, to use sprintf and vsprintf securely,
> > > and sometimes good (portability) reasons to do so.
> > >
> > > So this kind of warning is not appropriate for sprintf nor vsprintf.
> 
> It is true than snprintf and vsnprintf functions are not portable with some C 
> libraries (Digital OSF1 for example). But I also saw a lot of buffer overflow 
> with sprintf (in nparted for example). Probably a warning less violent like : 
> "Warning: the 'sprintf' is quite dangerous, 'snprintf' is preferable, see 
> documentation in ... for details"
> will be better, with a text file explaining all details.
>
> > I agree his opinion.  Please tell me the reason.
> > If you don't have any strong reasons, then only I close it.
> >
> > Moreover, how many programs are this warning affected?
> Probably a lot.

IMHO, this message hits many programs which don't have any faults.
Well it's sure that sometimes sprintf occurs security problem, but
it's not like "gets".  The correct use of this function does not
induce problems.  Do you claim that all programmers are completely
stupid, so we have to introduce this link_warning?  I belive it's not
true.  I would not like to apply this patch.

Regards,
-- gotom

Reply to:

References:
- Processed: glibc: Should print a warning when using (v)sprintf
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Re: Processed: glibc: Should print a warning when using (v)sprintf
  - From: GOTO Masanori <gotom@debian.or.jp>
- Bug#182277: Processed: glibc: Should print a warning when using (v)sprintf
  - From: Julien LEMOINE <speedblue@debian.org>

Prev by Date: cannot install locales on debian sid
Next by Date: Processed: tags 95254 wontfix
Previous by thread: Bug#182277: Processed: glibc: Should print a warning when using (v)sprintf
Next by thread: Bug#188079: marked as done (close() and/or fork() misbehaving)
Index(es):
- Date
- Thread