[Announce] GnuPG 1.4 and 2.0 buffer overflow

Werner Koch wk at gnupg.org
Thu Nov 30 11:50:10 CET 2006

On Wed, 29 Nov 2006 17:32, christianbiere at gmx.de said:

> Also replacement implementations for snprintf() have been around for years
> and vsnprintf() can be used to write your own asprintf() in about 5 lines.

va_copy is not a standard function/macro and actually missing on a lot
of systems or again buggy.  Without that you can implement neither
asprintf nor your proposed astrcat - unless you want to resort to
realloc chains.

Instead of repeating these old discussions over and over again, I
wonder why people don't look at the code to figure out the flaws.  A
bug lurking for 7 years and not detected by thousands of eyeballs
scrutinizing every line of free code?  SCNR.



More information about the Gnupg-devel mailing list