Subject: Re: ssh buffer overflow / package?
To: Andrew Brown <>
From: Todd Vierling <>
List: tech-security
Date: 11/02/1998 17:56:22
On Mon, 2 Nov 1998, Andrew Brown wrote:

: the only problem with this (ie, why i didn't simply do this but
: instead did the whole routine as advised by ibm in the rootshell
: advisory) is because of this nice big comment at the top of the
: snprintf.h file that you're supposed to steal from the ssh2 package:

:    NOTE: This does NOT work identically with BDS's snprintf.

: they're subtlely different and where security is concerned, i'd rather
: not fiddle about with maybes.

However, the comment indicates that the snprintf from ssh2 has the
ambiguity--you'd be changing behavior by using it.  Remember, you're
replacing calls to _BSD's_ vsprintf with _BSD's_ vsnprintf, which changes no

-- Todd Vierling (Personal; Bus.