On 02/23/2014 03:16 PM, Ingo Schwarze wrote:
Hi,
d...@genunix.com wrote on Sun, Feb 23, 2014 at 08:54:34AM -0500:
I am seeing strange and questionable messages while attempting a compile
and then test of GNU gettext 0.18.3.2 thus :
../gnulib-lib/.libs/libgettextlib.so: warning: stpcpy() is dangerous GNU crap;
don't use it
Yet stpcpy(3) on linux says:
CONFORMING TO
This function was added to POSIX.1-2008. Before that, it was
not part
of the C or POSIX.1 standards, nor customary on UNIX systems,
but was
not a GNU invention either. Perhaps it came from MS-DOS. It is
also
present on the BSDs.
../gnulib-lib/.libs/libgettextlib.so: warning: strcpy() is almost always
misused, please use strlcpy()
../gnulib-lib/.libs/libgettextlib.so: warning: strcat() is almost always
misused, please use strlcat()
../gnulib-lib/.libs/libgettextlib.so: warning: sprintf() is often misused,
please use snprintf()
Are these messages coming from within the OpenBSD world ?
Yes. They come from ld(1), the OpenBSD linker, and cannot be disabled.
They are intended to remind the person building the software that
almost all real-world code still containing these functions today
almost certainly contains buffer overflow bugs, some of which may
be exploitable. It is intended as a warning to avoid using such
software, which probably is of questionable quality, in any
security-critical applications, and it is intended as an incentive
to doing a thorough security audit.
Note that it is theoretically possible to use these functions
correctly; however, it is so much more difficult in practice than
using better interfaces in the first place that practical experience
shows that only people who care about security much less than the
OpenBSD security standards continue using them. For that reason,
*almost* all real-world software still containing them turns out
to be of inferior quality when audited thoroughly.
Of course, such warnings cannot replace an actual audit, and just
fixing the warnings themselves is useless, if not worse than useless,
because it would just sweep the issues under the rug.
The warnings just say that an audit is almost certainly needed.
Yours,
Ingo
Totally worth quoting :)
