format string attack on dbug.c
| Bugzilla Link | 694 |
| Created on | Apr 07, 2010 21:33 |
| Resolution | FIXED |
| Resolved on | Apr 09, 2010 13:56 |
| Version | svn |
| OS | Linux |
| Architecture | PC |
Extended Description
Some of my students from the compiler course found a flaw in the current implementation of the dbug package (formerly known as Fred Fish). http://en.wikipedia.org/wiki/Format_string_attack In essence, function arguments are directly used as printf format strings, which is a security hole and at least bad programming practice.