In <https://lists.gnu.org/archive/html/bug-gnulib/2023-08/msg00033.html> I
wrote:
> I cannot guarantee that Gnulib will be able to support %n
> in the long run. The "security-aware community" are filing CVEs here and
> there; %n is among their targets (it has already been disabled from libc
> on Ubuntu, macOS, and MSVC); and I don't know when they will discover
> that Gnulib still enables it.
The way I propose to do it:
- Remove the support for the %n directives from all *printf* modules
by default.
- Add a new module 'printf-with-n-directive' that re-enables this support
in all these modules.
- Add a NEWS entry to notify the packages.
This way, most packages that use Gnulib *printf will be immune against
possible CVEs in this area.
I'm also considering making the same move in GNU libintl.
Bruno
