[3306] in bugtraq
Re: Vulnerability in the Xt library
daemon@ATHENA.MIT.EDU (Mike Neuman)
Wed Aug 28 19:52:35 1996
Date: Wed, 28 Aug 1996 17:21:37 -0600
Reply-To: mcn@EnGarde.com
From: Mike Neuman <mcn@remise.ORG>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: casper's message of Wed, 28 Aug 1996 09:54:25 +0200.
<199608280754.JAA16228@albano>
> This pretty much depends on how doprnt works (also, the vs 3 compiler from
> Sun has different stack allocations, depending on the optimization).
You're right. My data point was from a Solaris 1.x system, which appears
to be invulnerable to this specific attack for the sprintf() format overflow
reason. (Hmmm, reason not to upgrade? :-) )
Actually, it seems the BSD _doprnt (including the 4.4BSD equivalent
vfprintf() ) will continue until they encounter a '\0' (or segfault), which
probably means they are somewhat less vulnerable.
Thanks for the clarification.
-Mike
mcn@EnGarde.com
