OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Format strings & i18n
From: Alan Cox (alanlxorguk.ukuu.org.uk)
Date: Fri Oct 13 2000 - 16:41:25 CDT

> > So instead of fprintf(stderr, catget("You made a %s mistake"), progname);
> > Programmers would use:
> > fprintf(stderr, verify_catget("You made a %s mistake"), progname);
>
> This is hard to implement reliably, as there would need to be two
> parsers which behave exactly the same. There's also a non-security
> problem pointed out in the Bugtraq discussion in July: the format
> strings are hard to translate into other languages as the order of
> conversion specifiers is fixed.

The GNU NLS allows reordering of specifiers.

> > PS. While writing this I noticed that sudo doesn't seem to clear LANGUAGE
> > etc. environment ...
>
> IMO, this needs to be changed.

So every time a Japanese user types su and doesnt speak English they are lost ?
Suid programs should probably only use message catalogs that are either
a) root owned or b) subject to some kind of path restriction.

Tools like su and sudo explicitly preserve environment, su - should change
language if the root user is set up on that box to another language.

Alan