[4877] in bugtraq
[linux-security] so-called snprintf() in db-1.85.4 (fwd)
daemon@ATHENA.MIT.EDU (Aleph One)
Wed Jul 9 05:54:58 1997
Date: Wed, 9 Jul 1997 04:39:06 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
Date: Tue, 8 Jul 1997 21:33:55 +0200
From: Thomas Roessler <roessler@guug.de>
Reply-To: linux-security@redhat.com
To: linux-security@redhat.com
Cc: The mutt developpers' list <mutt-dev@cs.hmc.edu>, gertjan@cs.vu.nl
Subject: [linux-security] so-called snprintf() in db-1.85.4
Resent-Date: 9 Jul 1997 09:01:41 -0000
Resent-From: linux-security@redhat.com
Resent-cc: recipient list not shown:;@redhat.com
Hi,
There is a severe problem with the db-1.85.4 library's Linux
port that can be found on sunsite.unc.edu under
/pub/Linux/libs/db-1.85.4-src.tar.gz (sp?): This library
contains a "snprintf" function which breaks down to a common
sprintf, ignoring the size parameter. Obviously, this was
thought to be a terribly bad work-around for C libraries which
don't contain an snprintf routine of their own. The
consequences of this bug are obvious: Any program which is
linked with libdb.so.1.85.4 and relies on snprintf(3) to do
it's bounds checking doesn't have any bounds checking at all.
Note that recent linux C libraries contain an snprintf(3)
function of their own which does it's job properly. Thus, the
fix is to simply remove snprintf.o from libdb.
tlr
--
Thomas Roessler =B7 74a353cc0b19 =B7 dg1ktr =B7 http://home.pages.de/~r=
oessler/
1280/593238E1 =B7 AE 24 38 88 1B 45 E4 C6 03 F5 15 6E 9C CA FD DB
