Bug 15223
Summary: | Mention security in the manpages for strcat, scanf, and getopt | ||
---|---|---|---|
Product: | Documentation | Reporter: | Jason Spiro (jasonspiro4) |
Component: | man-pages | Assignee: | Waseem Sarwar (mwasimsarwar) |
Status: | RESOLVED CODE_FIX | ||
Severity: | enhancement | CC: | alan, mwasimsarwar, xerofoify |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | Linux man-pages 3.23 | Subsystem: | |
Regression: | No | Bisected commit-id: |
Description
Jason Spiro
2010-02-04 09:51:29 UTC
How does this sound for a "SECURITY" manpage section? === Programs that use this function may allow malicious users to take complete control of the machine by causing buffer overflows. As David Wheeler writes, "any time your program reads or copies data into a buffer, it needs to check that there's enough space before making the copy. An exception is if you can show it can't happen -- but often programs are changed over time that make the impossible possible." === Note 1: I wrote the first sentence of that paragraph. You can use it, of course. Note 2: On second thought, please only change the strcat and scanf manpages. It's not so clear to me anymore that getopt is insecure. This bug is outdated. Please test against newer man pages. Cheers Nick |