Bug#182277: marked as done (gcc-3.2: Should print a warning when using (v)sprintf.)
Your message dated Sun, 20 Apr 2003 12:01:39 +0900
with message-id <80he8t3m98.wl@oris.opensource.jp>
and subject line Processed: glibc: Should print a warning when using (v)sprintf
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 24 Feb 2003 08:29:27 +0000
>From alex@aoi.dyndns.org Mon Feb 24 02:29:27 2003
Return-path: <alex@aoi.dyndns.org>
Received: from mail.frys.com [63.204.205.60]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 18nDzL-0006er-00; Mon, 24 Feb 2003 02:29:27 -0600
Received: from aoi.dyndns.org (postfix@host-66-81-124-110.rev.o1.com [66.81.124.110])
by mail.frys.com (8.11.6/8.11.6) with SMTP id h1O8e0j11923
for <submit@bugs.debian.org>; Mon, 24 Feb 2003 00:40:01 -0800
Received: by aoi.dyndns.org (Postfix, from userid 1001)
id A77D4490168; Mon, 24 Feb 2003 00:28:44 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Alexander Hvostov <alex@aoi.dyndns.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gcc-3.2: Should print a warning when using (v)sprintf.
X-Mailer: reportbug 2.10
Date: Mon, 24 Feb 2003 00:28:44 -0800
Message-Id: <20030224082844.A77D4490168@aoi.dyndns.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-0.7 required=4.0
tests=HAS_PACKAGE,PGP_SIGNATURE,SPAM_PHRASE_00_01
version=2.44
X-Spam-Level:
Package: gcc-3.2
Version: 1:3.2.3-0pre1
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As noted in the corresponding man page, the 'sprintf' and 'vsprintf' functions are
insecure, and should not be used. I suggest that gcc print a warning when compiling
code in which they are used, as it already does with 'gets' (also insecure).
- -- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux cornerstone 2.4.19 #3 Sat Jan 25 06:26:18 PST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages gcc-3.2 depends on:
ii binutils 2.13.90.0.18-1 The GNU assembler, linker and bina
ii cpp-3.2 1:3.2.3-0pre1 The GNU C preprocessor
ii gcc-3.2-base 1:3.2.3-0pre1 The GNU Compiler Collection (base
ii libc6 2.3.1-11 GNU C Library: Shared libraries an
ii libgcc1 1:3.2.3-0pre1 GCC support library
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Wde8tHQW4HWNftkRApKUAJ48LxVMp39GRutrfgn7yH2nPUBcwACgg5wB
V7Qa4p7aznoNXvxf7zAWOo0=
=ByP2
-----END PGP SIGNATURE-----
---------------------------------------
Received: (at 182277-done) by bugs.debian.org; 20 Apr 2003 03:01:42 +0000
>From gotom@debian.or.jp Sat Apr 19 22:01:41 2003
Return-path: <gotom@debian.or.jp>
Received: from oris.opensource.jp (oris.opensource.gr.jp) [218.44.239.73] (postfix)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 19755J-0003J8-00; Sat, 19 Apr 2003 22:01:41 -0500
Received: from oris.opensource.jp (oris.opensource.jp [218.44.239.73])
by oris.opensource.gr.jp (Postfix) with ESMTP
id E0469C33C1; Sun, 20 Apr 2003 12:01:39 +0900 (JST)
Date: Sun, 20 Apr 2003 12:01:39 +0900
Message-ID: <80he8t3m98.wl@oris.opensource.jp>
From: GOTO Masanori <gotom@debian.or.jp>
To: Julien LEMOINE <speedblue@debian.org>
Cc: GOTO Masanori <gotom@debian.or.jp>, 182277-done@bugs.debian.org
Subject: Re: Processed: glibc: Should print a warning when using (v)sprintf
In-Reply-To: <20030419203156.GA13036@trinity.all-3rd.net>
References: <200304150339.49811.speedblue@debian.org>
<[🔎] handler.s.C.105037082424331.transcript@bugs.debian.org>
<[🔎] 8065pe50qq.wl@oris.opensource.jp>
<[🔎] 200304161231.21485.speedblue@debian.org>
<[🔎] 80u1cu3c0e.wl@oris.opensource.jp>
<20030419203156.GA13036@trinity.all-3rd.net>
User-Agent: Wanderlust/2.9.9 (Unchained Melody) SEMI/1.14.3 (Ushinoya)
FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.2
(i386-debian-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=US-ASCII
Delivered-To: 182277-done@bugs.debian.org
X-Spam-Status: No, hits=-2.1 required=4.0
tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02,
USER_AGENT
version=2.44
X-Spam-Level:
At Sat, 19 Apr 2003 22:31:59 +0200,
Julien LEMOINE wrote:
> * GOTO Masanori <gotom@debian.or.jp> [2003-04-19 21:30:41 +0900]:
>
> > IMHO, this message hits many programs which don't have any faults.
> > Well it's sure that sometimes sprintf occurs security problem, but
> > it's not like "gets". The correct use of this function does not
> > induce problems. Do you claim that all programmers are completely
> > stupid, so we have to introduce this link_warning? I belive it's not
> > true. I would not like to apply this patch.
>
> Yes it is not true, you can close the bug report.
Thanks, I close this bug.
Well, we have to warn sprintf issue to developers everytime...
Regards,
-- gotom
Reply to: