In response to a public outcry the strings program now defaults to using the

--all option which displays text from anywhere in the input file(s).  The
default used to be --data, which only displays text from loadable data sections,
but this requires the use of the BFD library.  Since the BFD library almost
certainly still contains buffer overrun and/or memory corruption bugs, and
since the strings program is often used to examine malicious code, it was
decided that the --data option option represents a possible security risk.

	* strings.c: Add new command line option --data to only scan the
	initialized, loadable data secions of binaries.  Choose the
	default behaviour of --all or --data based upon a configure
	option.
	* doc/binutils.texi (strings): Update documentation.  Include
	description  of why the --data option might be unsafe.
	* configure.ac: Add new option --disable-default-strings-all which
	restores the old behaviour of strings using --data by default.  If
	the option is not used make strings use --all by default.
	* NEWS: Mention the new behaviour of strings.
	* configure: Regenerate.
	* config.in: Regenerate.

1 files changed, 12 insertions, 0 deletions

diff --git a/binutils/configure.ac b/binutils/configure.ac
index c5da20d..c5aadd8 100644
--- a/binutils/configure.ac
+++ b/binutils/configure.ac
@@ -55,6 +55,18 @@ fi], [default_ar_deterministic=0])
 AC_DEFINE_UNQUOTED(DEFAULT_AR_DETERMINISTIC, $default_ar_deterministic,
 		   [Should ar and ranlib use -D behavior by default?])
 
+AC_ARG_ENABLE(default-strings-all,
+[AS_HELP_STRING([--disable-default-strings-all],
+		[strings defaults to --data behavior])], [
+if test "${enableval}" = no; then
+  default_strings_all=0
+else
+  default_strings_all=1
+fi], [default_strings_all=1])
+
+AC_DEFINE_UNQUOTED(DEFAULT_STRINGS_ALL, $default_strings_all,
+		   [Should strings use -a behavior by default?])
+
 AM_BINUTILS_WARNINGS
 
 AC_CONFIG_HEADERS(config.h:config.in)