[7071] in bugtraq
Re: patch for qpopper remote exploit bug
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Sun Jun 28 01:35:10 1998
Date: Sat, 27 Jun 1998 16:50:40 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Andres Kroonmaa <andre@ML.EE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sat, 27 Jun 1998 21:21:13 +0300."
<12A7B2C1251@mail.lbi.ee>
Yeah, but what about systems that do _not_ have vsnprintf()?
Using calls without bounds checks can be justified as long
as it is made dead sure that no bounds would be ever exceeded.
You complain to your vendors.
This is a function which every vendor should have in their libraries.
If they don't, I can promise you that OS has not been audited, and
that 10 or so bugs in libc exist which will bite you.
Today, snprintf and vsnprintf are required. Without them, there's
some code in the libraries which cannot be written safely.
ie:
gen/syslog.c: prlen = vsnprintf(p, tbuf_left, fmt_cpy, ap);
Hmm.
