On 5/3/07, Robert Shearman rob@codeweavers.com wrote:
Tom Spear wrote:
I was writing up a Hello World with input program for a demonstration for a non-developer coworker last week, and used the unsecured getch() and got the standard warning about how it was unsecured and dangerous to use that. That prompted me to look up the basic secured functions on the MS website, and compare to wine code. According to MSDN, things like gets have been replaced with gets_s. However, as far as I can tell, wine still only implements gets for Windows programs to use.. Do we implement secured versions of other functions, and if not, how come?
Q: Why doesn't Wine implement X? A: Because not many programs use it and no-one has felt interested in implementing it for fun.
So in other words, most programs use insecure functions (like gets) instead of using secure functions (like gets_s), leaving themselves vulnerable to all sorts of buffer overflows? I wonder if microsoft doesn't silently convert gets calls to gets_s calls, then, and maybe didn't document that?
Otherwise I assume there would be thousands of buffer overflows that (malicious) people would exploit.
I understand that most programs dont use either of those functions, but there are others that are used by nearly every program that ms deprecated in favor of secure versions.
On Thu, May 03, 2007 at 04:16:31PM -0500, Tom Spear wrote:
On 5/3/07, Robert Shearman rob@codeweavers.com wrote:
Tom Spear wrote:
I was writing up a Hello World with input program for a demonstration for a non-developer coworker last week, and used the unsecured getch() and got the standard warning about how it was unsecured and dangerous to use that. That prompted me to look up the basic secured functions on the MS website, and compare to wine code. According to MSDN, things like gets have been replaced with gets_s. However, as far as I can tell, wine still only implements gets for Windows programs to use.. Do we implement secured versions of other functions, and if not, how come?
Q: Why doesn't Wine implement X? A: Because not many programs use it and no-one has felt interested in implementing it for fun.
So in other words, most programs use insecure functions (like gets) instead of using secure functions (like gets_s), leaving themselves vulnerable to all sorts of buffer overflows? I wonder if microsoft doesn't silently convert gets calls to gets_s calls, then, and maybe didn't document that?
Otherwise I assume there would be thousands of buffer overflows that (malicious) people would exploit.
I understand that most programs dont use either of those functions, but there are others that are used by nearly every program that ms deprecated in favor of secure versions.
wine is not using gets() at all, insofar there is no risk from it. It would be quite hard to convert gets -> gets_s by magic ;)
Ciao, Marcus
On 5/3/07, Marcus Meissner marcus@jet.franken.de wrote:
wine is not using gets() at all, insofar there is no risk from it.
That much I knew, however we do use strcpy (especially in msi), and that is another one that has been deprecated ("banned")..
See http://msdn2.microsoft.com/en-us/library/bb288454.aspx for the complete list..
It would be quite hard to convert gets -> gets_s by magic ;)
hmm, I thought so, and re-reading the page, it appears that it is actually more of a proposal, than a list of api's that have actually already been deprecated, however if msdn has an article from the sdl that pushes for the deprecation of non-strsafe functions, I think we should take that seriously, and at least investigate the difficulty (I'm not pushing for it to be replaced anywhere in the code right now, because we are already spread too thin).
Am Donnerstag 03 Mai 2007 23:58 schrieb Tom Spear:
On 5/3/07, Marcus Meissner marcus@jet.franken.de wrote:
wine is not using gets() at all, insofar there is no risk from it.
That much I knew, however we do use strcpy (especially in msi), and that is another one that has been deprecated ("banned")..
Afair some time ago part of the code was using strncpy which has a destination size count and is sometimes considered safe because of that. The strncpy calls were removed some time ago. Not sure why, but I think thats because strncpy has tricky cavecats too, like not necessarily terminating the string with '\0'. I don't know about the _s APIs, but I guess they're not fool prove either and look like a sort of embrace and extend to me.
As for applications using the safe functions I think Frank is right and they are implemented in the visual studio specifc msvcrt dlls, thus wine doesn't have to implement them. My Visual Studio 6 doesn't know them.
On Thu, May 03, 2007 at 04:58:58PM -0500, Tom Spear wrote:
On 5/3/07, Marcus Meissner marcus@jet.franken.de wrote:
wine is not using gets() at all, insofar there is no risk from it.
That much I knew, however we do use strcpy (especially in msi), and that is another one that has been deprecated ("banned")..
See http://msdn2.microsoft.com/en-us/library/bb288454.aspx for the complete list..
It would be quite hard to convert gets -> gets_s by magic ;)
hmm, I thought so, and re-reading the page, it appears that it is actually more of a proposal, than a list of api's that have actually already been deprecated, however if msdn has an article from the sdl that pushes for the deprecation of non-strsafe functions, I think we should take that seriously, and at least investigate the difficulty (I'm not pushing for it to be replaced anywhere in the code right now, because we are already spread too thin).
Newer gcc have checking for strcpy() overflows, and I have local patches for buffer overflow checking for some of our other string functions.
Meaning ... I am watching at least the Wine Internals ;)
Ciao, Marcus
On Thursday 03 May 2007 23:16, Tom Spear wrote:
Otherwise I assume there would be thousands of buffer overflows that (malicious) people would exploit.
Noone should use gets(). There are lots of better alternatives. For the other deprecated functions, there are ways to check that the input is valid before calling it, iirc.
As far as imnplementing the secured functions in Wine, I have yet to see a program that's failing because it tries to use one of them.
Cheers, Kai
On 5/3/07, Kai Blin kai.blin@gmail.com wrote:
On Thursday 03 May 2007 23:16, Tom Spear wrote:
Noone should use gets(). There are lots of better alternatives. For the other deprecated functions, there are ways to check that the input is valid before calling it, iirc.
I agree that nobody uses it, and that there are better alternatives, I was just using it as an example. You are correct, though about there being ways to check the input.
As far as imnplementing the secured functions in Wine, I have yet to see a program that's failing because it tries to use one of them.
I do agree that we shouldnt implement it until a program fails. I know I worded the email wrong. I was actually just wondering if we had any plans to implement them in the future and if we had the resources to do that.
-
Kai Blin -
Marcus Meissner -
Marcus Meissner -
Stefan Dösinger -
Tom Spear