Bug 39230

Summary: warn against format string attacks in the printf man page
Product: Documentation Reporter: Martin Faxer <gmh003532>
Component: Books & ArticlesAssignee: chris <chris>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
printf.diff none

Description Martin Faxer 2002-06-13 15:30:05 UTC 
	
the printf man page fails to inform the reader about the need to
include a format string in the security considerations section
of the man page.

Fix: apply the patch below (the patch also makes the paragraph below
a little bit clearer by stating that the sprintf() and vsprintf()
functions are easily misused because of their lack of bounds
checking.)
	
How-To-Repeat: 	
read the printf(3) man page
Comment 1 chris freebsd_committer freebsd_triage 2002-06-13 19:59:10 UTC 
State Changed
From-To: open->analyzed

I wrote this section.
Comment 2 chris freebsd_committer freebsd_triage 2002-06-13 19:59:10 UTC 
Responsible Changed
From-To: freebsd-doc->chris

I wrote this section.
Comment 3 chris freebsd_committer freebsd_triage 2002-06-14 00:44:40 UTC 
State Changed
From-To: analyzed->closed

A patch has been applied more along the lines of my current 
SECURITY CONSIDERATIONS work. 

Thanks for calling it to my attention!