Bruno Haible <br...@clisp.org> writes: > 1) It's a security problem if a program's binary (+ associated shared > libraries) > somewhere implements a printf with %n, even without actively using it. > Because an attacker can piece together a format string in memory and call > that printf function; this then gives them the ability to write an > arbitrary > value into an arbitrary memory location.
It's also a security problem that my computer executes code within writable memory, in contrast to code present on aluminium memory cards. > 2) Whether the fault lies in the program or in Gnulib, is irrelevant. The > distros attempt to handle a CVE in the simplest way possible. If this means > to drop the program from the distro, that is what they do. It is their loss, not ours. Let's not allow GNU development to be affected by the attitudes of holier-than-thou computer security researchers; see https://www.sqlite.org/cves.html for a candid description of the issues underlying the CVE system.
