Hi, d...@genunix.com wrote on Sun, Feb 23, 2014 at 08:54:34AM -0500:
> I am seeing strange and questionable messages while attempting a compile > and then test of GNU gettext 0.18.3.2 thus : > > ../gnulib-lib/.libs/libgettextlib.so: warning: stpcpy() is dangerous GNU crap; > don't use it > ../gnulib-lib/.libs/libgettextlib.so: warning: strcpy() is almost always > misused, please use strlcpy() > ../gnulib-lib/.libs/libgettextlib.so: warning: strcat() is almost always > misused, please use strlcat() > ../gnulib-lib/.libs/libgettextlib.so: warning: sprintf() is often misused, > please use snprintf() > > Are these messages coming from within the OpenBSD world ? Yes. They come from ld(1), the OpenBSD linker, and cannot be disabled. They are intended to remind the person building the software that almost all real-world code still containing these functions today almost certainly contains buffer overflow bugs, some of which may be exploitable. It is intended as a warning to avoid using such software, which probably is of questionable quality, in any security-critical applications, and it is intended as an incentive to doing a thorough security audit. Note that it is theoretically possible to use these functions correctly; however, it is so much more difficult in practice than using better interfaces in the first place that practical experience shows that only people who care about security much less than the OpenBSD security standards continue using them. For that reason, *almost* all real-world software still containing them turns out to be of inferior quality when audited thoroughly. Of course, such warnings cannot replace an actual audit, and just fixing the warnings themselves is useless, if not worse than useless, because it would just sweep the issues under the rug. The warnings just say that an audit is almost certainly needed. Yours, Ingo
