[15558] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Thu Jun 29 15:06:16 2000
Message-Id: <200006291636.e5TGaUv24870@cvs.openbsd.org>
Date: Thu, 29 Jun 2000 10:36:30 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: pfaffben@msu.edu
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "29 Jun 2000 12:09:00 EDT."
<87k8f8v59f.fsf@pfaffben.user.msu.edu>
> Theo de Raadt <deraadt@CVS.OPENBSD.ORG> writes:
>
> [...regarding snprintf()...]
>
> > > b) Returns -1 and truncate with a \0
> >
> > Can you please list the vendors who have the incorrect behaviours you
> > described in (a) and (b) so that we can properly bitch at them?
>
> glibc before 2.1.x, for one.
Yes, it is known that older glibc had a security issue because their
snprintf was broken, but there is newer software now which does not
have this specific security issue.
There are probably 30+ snprintf calls in OpenBSD which require that
snprintf return the length of buffer it wanted. We have absolutely no
plans to change those into less-optimal chunks of code. It's even
possible that openssh has code to do so.
For those 30+ cases, as soon as you assume that snprintf is broken,
the code size for handling that increases massively. That increases
complexity is not needed.
This is much like how we don't write code for dealing with the busted
connect() system call in Linux (socket reuse in non-blocking mode).
But on the other hand, Linux has also eroded the meaning of the struct
timeval * in select(), so in that case we have dealt with that issue.
