format string attack on dbug.c
|
|
Bugzilla Link |
694 |
Created on |
Apr 07, 2010 21:33 |
Resolution |
FIXED |
Resolved on |
Apr 09, 2010 13:56 |
Version |
svn |
OS |
Linux |
Architecture |
PC |
Extended Description
Some of my students from the compiler course found a flaw in the current
implementation of the dbug package (formerly known as Fred Fish).
http://en.wikipedia.org/wiki/Format_string_attack
In essence, function arguments are directly used as printf format strings,
which is a security hole and at least bad programming practice.