Comment 9 for bug 281877

Kees Cook (kees) wrote :

The issue isn't if %n works, but if %n is in writable memory:

$ kdesudo echo "%x%x%n"
*** %n in writable segment detected ***

Test programs to see this need to have writable memory, and be compiled -O2 (the default for kdesudo).

It's also unimportant because there are no privileges yet when the expansion occurs. The output is being run as root, that's true, but again, the user must know the root password to have this happen, so there's no escalation of existing privileges. The case for user-assisted attacks is very unlikely. (Though perhaps I'm just being uncreative when it comes to %-expansions.)

This is a bug, and needs to be fixed, though. I'll go poke the maintainer again.