Debian Bug report logs - #413940
Here is new suggested text for the strcpy manpage

version graph

Package: manpages-dev; Maintainer for manpages-dev is Dr. Tobias Quathamer <toddy@debian.org>; Source for manpages-dev is src:manpages (PTS, buildd, popcon).

Reported by: "Jason Spiro" <jasonspiro4@gmail.com>

Date: Thu, 8 Mar 2007 00:27:07 UTC

Severity: normal

Tags: fixed-upstream

Found in version manpages/2.17-1

Done: Martin Schulze <joey@infodrom.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, accudity@gmail.com;dwheeler@dwheeler.com, Martin Schulze <joey@debian.org>:
Bug#413940; Package manpages-dev. (full text, mbox, link).

Acknowledgement sent to "Jason Spiro" <jasonspiro4@gmail.com>:
New Bug report received and forwarded. Copy sent to accudity@gmail.com;dwheeler@dwheeler.com, Martin Schulze <joey@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Jason Spiro" <jasonspiro4@gmail.com>
To: submit@bugs.debian.org
Subject: Here is new suggested text for the strcpy manpage
Date: Wed, 7 Mar 2007 19:24:39 -0500
Package: manpages-dev
Version: 2.17-1
X-Debbugs-CC: accudity@gmail.com;dwheeler@dwheeler.com

I suggest this new text for the bottom of the strcpy manpage:

"Programs that use strcpy may allow malicious users to take complete
control of the machine by causing buffer overflows. Any time a program
reads or copies data into a buffer, the program needs to check that
there's enough space first. This may be unnecessary if you can show
it's impossible; but programs can get changed over time, making the
impossible possible. See also: http://dwheeler.com/secure-programs/"

I wrote the new text and hereby release this work to the public
domain. The text is adapted from a FAQ by David Wheeler.  Also,
accudity@gmail.com helped me with the wording. Thanks to you both.

Regards,
Jason Spiro

Information forwarded to debian-bugs-dist@lists.debian.org, Martin Schulze <joey@debian.org>:
Bug#413940; Package manpages-dev. (Tue, 28 Oct 2008 20:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Kerrisk <mtk.manpages@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Martin Schulze <joey@debian.org>. (Tue, 28 Oct 2008 20:03:02 GMT) (full text, mbox, link).

Message #10 received at 413940@bugs.debian.org (full text, mbox, reply):

From: Michael Kerrisk <mtk.manpages@googlemail.com>
To: 413940@bugs.debian.org, "Jason Spiro" <jasonspiro4@gmail.com>
Cc: accudity@gmail.com, dwheeler@dwheeler.com, debc <control@bugs.debian.org>
Subject: Re: Here is new suggested text for the strcpy manpage
Date: Tue, 28 Oct 2008 14:58:12 -0500
tags 413940 fixed-upstream
thanks

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413940

> I suggest this new text for the bottom of the strcpy manpage:
>
> "Programs that use strcpy may allow malicious users to take complete
> control of the machine by causing buffer overflows. Any time a program
> reads or copies data into a buffer, the program needs to check that
> there's enough space first. This may be unnecessary if you can show
> it's impossible; but programs can get changed over time, making the
> impossible possible. See also: http://dwheeler.com/secure-programs/"
>
> I wrote the new text and hereby release this work to the public
> domain. The text is adapted from a FAQ by David Wheeler.  Also,
> accudity@gmail.com helped me with the wording. Thanks to you both.

Jason,

The upstream man-page already had:

   BUGS
       If the destination string of  a  strcpy()  is  not  large
       enough  (that  is,  if the programmer was stupid or lazy,
       and failed to check the size before  copying)  then  any-
       thing  might happen.  Overflowing fixed-length strings is
       a favorite cracker technique.

I've reworked the text, incorporating parts of your proposed text:

   BUGS
       If the destination string of  a  strcpy()  is  not  large
       enough,  then  anything might happen.  Overflowing fixed-
       length string buffers is a favorite cracker technique for
       taking  complete control of the machine.  Any time a pro-
       gram reads or copies data  into  a  buffer,  the  program
       first needs to check that there's enough space.  This may
       be unnecessary if you can show that overflow is  impossi-
       ble,  but be careful: programs can get changed over time,
       in ways that may make the impossible possible.

The changes will be in upstream man-pages-3.12.

Thanks for your input!

Cheers,

Michael
--- a/man3/strcpy.3
+++ b/man3/strcpy.3
@@ -123,10 +123,14 @@ if (n > 0)
 .SH BUGS
 If the destination string of a
 .BR strcpy ()
-is not large enough
-(that is, if the programmer was stupid or lazy, and failed to check
-the size before copying) then anything might happen.
-Overflowing fixed-length strings is a favorite cracker technique.
+is not large enough, then anything might happen.
+Overflowing fixed-length string buffers is a favorite cracker technique
+for taking complete control of the machine.
+Any time a program reads or copies data into a buffer,
+the program first needs to check that there's enough space.
+This may be unnecessary if you can show that overflow is impossible,
+but be careful: programs can get changed over time,
+in ways that may make the impossible possible.
 .SH "SEE ALSO"
 .BR bcopy (3),
 .BR memccpy (3),

--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
git://git.kernel.org/pub/scm/docs/man-pages/man-pages.git
man-pages online: http://www.kernel.org/doc/man-pages/online_pages.html
Found a bug? http://www.kernel.org/doc/man-pages/reporting_bugs.html

Tags added: fixed-upstream Request was from Michael Kerrisk <mtk.manpages@googlemail.com> to control@bugs.debian.org. (Tue, 28 Oct 2008 20:03:04 GMT) (full text, mbox, link).

Bug closed, send any further explanations to "Jason Spiro" <jasonspiro4@gmail.com> Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. (Fri, 21 Nov 2008 10:33:13 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 20 Dec 2008 07:28:47 GMT) (full text, mbox, link).

Bug unarchived. Request was from "Jason A. Spiro" <jasonspiro@gmail.com> to control@bugs.debian.org. (Thu, 04 Feb 2010 09:57:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Martin Schulze <joey@debian.org>:
Bug#413940; Package manpages-dev. (Thu, 04 Feb 2010 20:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to "Jason A. Spiro" <jasonspiro4@gmail.com>:
Extra info received and forwarded to list. Copy sent to Martin Schulze <joey@debian.org>. (Thu, 04 Feb 2010 20:33:05 GMT) (full text, mbox, link).

Message #23 received at 413940@bugs.debian.org (full text, mbox, reply):

From: "Jason A. Spiro" <jasonspiro4@gmail.com>
To: 413940@bugs.debian.org
Subject: Re: Bug#413940: Here is new suggested text for the strcpy manpage
Date: Thu, 4 Feb 2010 15:27:42 -0500
FYI, I have now filed a kernel Bugzilla bug report[1] about the other
most important manpages which should mention security but don't.

^  [1].  http://bugzilla.kernel.org/show_bug.cgi?id=15223 -- "Mention
security in the manpages for strcat, scanf, and getopt"

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Mar 2010 07:32:59 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Mar 9 09:56:53 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.