Stronger caveat wrt stack smashing via % escapes. Each man page

carries the same caveat...

3 files changed, 48 insertions, 11 deletions

diff --git a/lib/libc/gen/setproctitle.3 b/lib/libc/gen/setproctitle.3
index a8eabe1a12e..fd0f5c22a6f 100644
--- a/lib/libc/gen/setproctitle.3
+++ b/lib/libc/gen/setproctitle.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: setproctitle.3,v 1.9 2000/07/07 00:13:56 aaron Exp $
+.\"	$OpenBSD: setproctitle.3,v 1.10 2000/07/16 22:44:58 millert Exp $
 .\"
 .\" Copyright (c) 1994, 1995 Christopher G. Demetriou
 .\" All rights reserved.
@@ -74,10 +74,20 @@ The
 function first appeared in
 .Nx 0.9a .
 .Sh CAVEATS
-Never pass a user-supplied string directly as a format without using %s,
-as an attacker can put format specifiers in that string to mangle your
-stack.
-Be sure to use the proper secure idiom:
+It is important to never pass a string with user-supplied data as a 
+format without using %s.
+An attacker can put format specifiers in the string to mangle your stack, 
+leading to a possible security hole.
+This holds true even if you have built the string
+.Dq by hand
+using a function like
+.Fn snprintf ,
+as the attacker can escape the percent sign
+.Pq Sq %
+for later interpolation by
+.Fn setproctitle .
+.Pp
+Be sure to always use the proper secure idiom:
 .Bd -literal -offset indent
 setproctitle("%s", string);
 .Ed
diff --git a/lib/libc/gen/syslog.3 b/lib/libc/gen/syslog.3
index 3dc53dd111c..f7e48e952f1 100644
--- a/lib/libc/gen/syslog.3
+++ b/lib/libc/gen/syslog.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: syslog.3,v 1.7 1999/07/09 13:35:19 aaron Exp $
+.\"	$OpenBSD: syslog.3,v 1.8 2000/07/16 22:44:58 millert Exp $
 .\"
 .\" Copyright (c) 1985, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -269,3 +269,21 @@ syslog(LOG_INFO|LOG_LOCAL2, "foobar error: %m");
 These
 functions appeared in
 .Bx 4.2 .
+.Sh CAVEATS
+It is important to never pass a string with user-supplied data as a
+format without using %s.
+An attacker can put format specifiers in the string to mangle your stack,
+leading to a possible security hole.
+This holds true even if you have built the string
+.Dq by hand
+using a function like
+.Fn snprintf ,
+as the attacker can escape the percent sign
+.Pq Sq %
+for later interpolation by
+.Fn syslog .
+.Pp
+Be sure to always use the proper secure idiom:
+.Bd -literal -offset indent
+syslog("%s", string);
+.Ed
diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3
index 6a9f4f34942..4225c6fd77b 100644
--- a/lib/libc/stdio/printf.3
+++ b/lib/libc/stdio/printf.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: printf.3,v 1.29 2000/07/07 00:09:10 aaron Exp $
+.\"	$OpenBSD: printf.3,v 1.30 2000/07/16 22:44:57 millert Exp $
 .\"
 .\" Copyright (c) 1990, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -686,10 +686,19 @@ systems and the
 .Fn asprintf
 interface is not portable.
 .Pp
-Never print a user-supplied string directly as a format without using
-.Cm %s ,
-as an attacker can put format specifiers in that string to mangle
-your stack.
+It is important to never pass a string with user-supplied data as a
+format without using %s.
+An attacker can put format specifiers in the string to mangle your stack,
+leading to a possible security hole.
+This holds true even if you have built the string
+.Dq by hand
+using a function like
+.Fn snprintf ,
+as the attacker can escape the percent sign
+.Pq Sq %
+for later interpolation by
+.Fn printf .
+.Pp
 Be sure to use the proper secure idiom:
 .Bd -literal -offset indent
 snprintf(buffer, sizeof(buffer), "%s", string);