bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent glibc printf bug


From: Bruno Haible
Subject: Re: recent glibc printf bug
Date: Thu, 24 Feb 2011 23:54:45 +0100
User-agent: KMail/1.9.9

Eric Blake wrote:
> > But the effect of
> > writing wrong data to the stack could be abused for security relevant 
> > exploits,
> > so I would say yes.
> 
> Can gettext() ever return a translation that exploits the bug, by
> abusing positional directives to have more directives than the original
> format string being translated?  Maybe gettext needs to sanitize
> translated strings to ensure that translators can't inject the bug?

Applications can use various means to fetch a "computed" format string from
somewhere, not only through gettext().

But indeed gettext() will not prohibit a maliciously constructed format string
from being returned:
  1. While 'msgfmt -c' does verify the translations of format strings, people
     can create .mo files that they didn't create with 'msgfmt -c'.
  2. The verification done by 'msgfmt -c' ensures that the translation consumes
     the same number and the same kind of arguments as the original string,
     but the translator is free to insert as many '%%' directives in the string
     as he likes. And for this bug, it's the total number of directives that
     matters.

Bruno
-- 
In memoriam Mario Manuel de la Peña <http://www.directorio.org/mario.htm>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]