Re: recent glibc printf bug

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent glibc printf bug

From:	Bruno Haible
Subject:	Re: recent glibc printf bug
Date:	Thu, 24 Feb 2011 23:54:45 +0100
User-agent:	KMail/1.9.9

Eric Blake wrote:
> > But the effect of
> > writing wrong data to the stack could be abused for security relevant 
> > exploits,
> > so I would say yes.
> 
> Can gettext() ever return a translation that exploits the bug, by
> abusing positional directives to have more directives than the original
> format string being translated?  Maybe gettext needs to sanitize
> translated strings to ensure that translators can't inject the bug?

Applications can use various means to fetch a "computed" format string from
somewhere, not only through gettext().

But indeed gettext() will not prohibit a maliciously constructed format string
from being returned:
  1. While 'msgfmt -c' does verify the translations of format strings, people
     can create .mo files that they didn't create with 'msgfmt -c'.
  2. The verification done by 'msgfmt -c' ensures that the translation consumes
     the same number and the same kind of arguments as the original string,
     but the translator is free to insert as many '%%' directives in the string
     as he likes. And for this bug, it's the total number of directives that
     matters.

Bruno
-- 
In memoriam Mario Manuel de la Peña <http://www.directorio.org/mario.htm>

[Prev in Thread]

Current Thread

[Next in Thread]

recent glibc printf bug, Eric Blake, 2011/02/24
- Re: recent glibc printf bug, Bruno Haible, 2011/02/24
  - Re: recent glibc printf bug, Eric Blake, 2011/02/24
    - Re: recent glibc printf bug, Bruno Haible <=

Prev by Date: Re: bug in autoconf-2.64
Next by Date: [PATCH] * lib/openat-proc.c: Don't include dirname.h; not needed.
Previous by thread: Re: recent glibc printf bug
Next by thread: [PATCH] backupfile: remove unnecessary use of m4/dos.m4
Index(es):
- Date
- Thread