[11843] in bugtraq
Re: ProFTPD 1.2.0pre4 available
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Sat Sep 11 04:53:32 1999
Message-Id: <199909090551.XAA18210@cvs.openbsd.org>
Date: Wed, 8 Sep 1999 23:51:46 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: pfaffben@msu.edu
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 03 Sep 1999 20:28:05 EDT."
<87g10vfrl6.fsf@pfaffben.user.msu.edu>
> In addition, it is worth noting that snprintf() as specified by the
> C9x draft has return value semantics different from those commonly
> found. As a result, calls to snprintf() where the return value is
> checked should be scrutinized, since this change could presumably pose
> a security risk.
>
> To cite one place where this changes, glibc 2.1 uses the C9x return
> value semantics, whereas glibc 2.0 uses the older semantics.
Yes, people should be really careful about this.
- The 4.4 BSD snprintf routines were mostly right before, and now
they are even better. I can only speak for OpenBSD.
- The older Solaris versions are broken.
- The newer Solaris versions are wrong (7+?).
- The opengroup XPG web documentation is wrong.
- But the opengroup group internal documentation is fixed (we believe)
- Older C9X specifications are wrong.
- Newer versions of the C9X specification are fixed (we believe)
Casper Dik, Todd Miller, Chris Torek, and I got in touch with the
standards commitees and got it fixed. The fixed versions return the
amount of data they wanted to put into the string, even if they fail.
The broken versions returned -1 or the truncation length. A few other
issues regarding -1 return values also existed.
