Re: [linux-security] Re: Re: so-called snprintf() in db-1.85.4
Willy TARREAU (tarreau@AEMIAIF.LIP6.FR)
Thu, 10 Jul 1997 16:58:43 +0200
>
> ---------- Forwarded message ----------
> Date: Wed, 9 Jul 1997 11:20:08 -0400 (EDT)
> From: Illuminati Primus <vermont@gate.net>
> To: Hal DeVore <hdevore@bmc.com>
> Cc: Thomas Roessler <roessler@guug.de>, linux-security@redhat.com
> Subject: [linux-security] Re: Re: so-called snprintf() in db-1.85.4
>
> ldd /usr/sbin/sendmail
> libgdbm.so.1 => /lib/libgdbm.so.1
> libdb.so.1 => /usr/lib/libdb.so.1
> libc.so.5 => /lib/libc.so.5
>
> Does this mean that the all occurences of snprintf in my sendmail are now
> susceptible to overflows? Or might the order of the links to the
> libraries override libdb's snprintf with the libc version? I am unsure
> about how symbols are loaded from libraries...
>
Personnaly, I've patched my libdb.so.1 to rename sprintf() and snprintf()
so that I'm sure that no program will use them. As they are also defined
in libc.so, this should never cause any problem.
Willy
--
+---------------+------------------------+----------------------------------+
| Willy Tarreau | tarreau@aemiaif.lip6.fr | http://www-miaif.lip6.fr/willy/ |
| Magistere d'Informatique Appliquee de l'Ile de France (MIAIF), promo 97 |
| DEA A.S.I.M.E. | Universite Pierre et Marie Curie (Paris 6), FRANCE |
+-----------------+---------------------------------------------------------+