Subject: Re: ssh buffer overflow / package?
To: Todd C. Miller <Todd.Miller@courtesan.com>
From: Andrew Brown <firstname.lastname@example.org>
Date: 11/02/1998 15:01:31
>The only source from 2.x is an snprintf implementation, which NetBSD
>doesn't need since it is in libc. To use vsnprintf() instead of
>vsprintf() in the logging functions like the IBM advisory suggests
>you can apply the following.
or you can just add the macro
#define vsprintf(buf, fmt, args) vsnprintf(buf, sizeof(buf), fmt, args)
to each of the three files in question.
the only problem with this (ie, why i didn't simply do this but
instead did the whole routine as advised by ibm in the rootshell
advisory) is because of this nice big comment at the top of the
snprintf.h file that you're supposed to steal from the ssh2 package:
/* Write formatted text to buffer 'str', using format string 'format'.
Returns number of characters written, or negative if error
occurred. SshBuffer's size is given in 'size'. Format string is
understood as defined in ANSI C.
NOTE: This does NOT work identically with BDS's snprintf.
Integers: Ansi C says that precision specifies the minimun
number of digits to print. BSD's version however counts the
prefixes (+, -, ' ', '0x', '0X', octal prefix '0'...) as
Also, BSD implementation does not permit padding integers
to specified width with zeros on left (in front of the prefixes),
it uses spaces instead, even when Ansi C only forbids padding
with zeros on the right side of numbers.
they're subtlely different and where security is concerned, i'd rather
not fiddle about with maybes.
|-----< "CODE WARRIOR" >-----|
email@example.com * "ah! i see you have the internet
firstname.lastname@example.org (Andrew Brown) that goes *ping*!"
email@example.com * "information is power -- share the wealth."