This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Implement C11 annex K?
- From: Andreas Schwab <schwab at suse dot de>
- To: Rich Felker <dalias at libc dot org>
- Cc: Florian Weimer <fweimer at redhat dot com>, libc-alpha at sourceware dot org
- Date: Thu, 14 Aug 2014 18:53:51 +0200
- Subject: Re: Implement C11 annex K?
- Authentication-results: sourceware.org; auth=none
- References: <53EBEACD dot 3070000 at googlemail dot com> <87k36cc559 dot fsf at windlord dot stanford dot edu> <20140814022501 dot GT12888 at brightrain dot aerifal dot cx> <87r40jbq2p dot fsf at windlord dot stanford dot edu> <20140814054610 dot GV12888 at brightrain dot aerifal dot cx> <87ha1fbnrp dot fsf at windlord dot stanford dot edu> <53EC87A4 dot 1080805 at redhat dot com> <mvmr40j4cep dot fsf at hawking dot suse dot de> <53EC8A1F dot 8080203 at redhat dot com> <mvmmwb74bx0 dot fsf at hawking dot suse dot de> <20140814162628 dot GC12888 at brightrain dot aerifal dot cx>
Rich Felker <dalias@libc.org> writes:
> On Thu, Aug 14, 2014 at 12:12:59PM +0200, Andreas Schwab wrote:
>> Florian Weimer <fweimer@redhat.com> writes:
>>
>> > On 08/14/2014 12:02 PM, Andreas Schwab wrote:
>> >> Florian Weimer <fweimer@redhat.com> writes:
>> >>
>> >>> Here's a security bug which resulted from the incorrect use of strlcpy:
>> >>>
>> >>> <http://www.samba.org/samba/security/CVE-2014-3560>
>> >>> <https://git.samba.org/?p=samba.git;a=commitdiff;h=e6a848630d>
>> >>
>> >> This only proves that strlcpy isn't any better at preventing security
>> >> bugs.
>> >
>> > It also shows that there is a real cost to not providing strlcpy in glibc.
>>
>> No, you got it backwards. Had samba used the standard string functions
>> it would have been "protected" by fortification. Of course,
>> fortification is just a workaround for sloppy programming anyway.
>
> Except that we don't have any control over what Samba does, much less
> any control over what every single broken app out there does.
There's a lot of ways to screw things up.
> Unless you want to go audit them all, file bug reports, and work
> through the fights with their maintainers to get them to fix things,
> the practical way to improve security is to provide a correct,
> fortify-compatible strlcpy/strlcat in glibc so that these bugs can be
> caught automatically. That's something the glibc team _can_ actually
> do.
What is really neded is a high-performance, high-level string library.
Something of the expressiveness of std::string. Then kludges like
strlcpy wouldn't be needed.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."