typo_at_INFERNO.TUSCULUM.EDU wrote:
> On Tue, Sep 05, 2000 at 11:21:20AM +0200, Bluefish (P.Magnusson) wrote:
> > >From what I remember from bugtraq, it seems to be quite tricky to provide
> > a good patch to this problem. So I wonder, has any of these tools
> > (ProPolice, libsafe, StackGuard or StackShield) added anything to
> > combat formatation bugs, or if it's an active research area.
>
> where's the need for research? i've made glibc rpms without %n the day
> the first format bugs went to bugtraq, and had them installed on all of my
> [linux] machines since then...
Deleting a feature found to be vulnerable is called a "workaround", not a
"solution". Cursory checking of source code reveals %n being used in at least
these programs:
* BitchX - an irc client
* Nedit - a program editor
* SourceNavigator - a program editor / IDE / Debugger
> does every stupid idea have to be marketed as 'research' nowadays?
And a cheery "greetz" to you, too :-) I think it is research to come up with a
solution that makes the format class of bugs go away without having to audit or
hack 10 million lines of source code, but I'm strange that way.
Crispin
--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
Olympics: The Corruption Games
Received on Sep 06 2000
Intro
