| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20131008132845.7e6c1c28f1c917f30ecb8dc5@linux-foundation.org> Date: Tue, 8 Oct 2013 13:28:45 -0700 From: Andrew Morton <akpm@...ux-foundation.org> To: Kees Cook <keescook@...omium.org> Cc: linux-kernel@...r.kernel.org, Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>, joe@...ches.com Subject: Re: [PATCH 3/3] vsprintf: ignore %n again On Mon, 7 Oct 2013 19:56:51 -0700 Kees Cook <keescook@...omium.org> wrote: > This ignores %n in printf again, as was originally documented. Implementing > %n poses a greater security risk than utility, so it should stay ignored. > To help anyone attempting to use %n, a warning will be emitted if it is > encountered. > > Based on earlier patch by Joe Perches. Well this sucks. Nowhere in this patchset are we told what is the alleged security risk with %n. There's even a runtime warning telling people not to use it, but we've provided no way for them to find out *why*. Please send along suitable changelog text so I can fix this up. A new checkpatch rule might be appropriate? Two of these patches were acked-by:you. But you sent the patches, so I changed these to Signed-off-by:, as per Documentation/SubmittingPatches, section 12. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists