The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug#12127: Awful security problem with libdb !

Package: libdb1, libdb1-dev
Version: 1.85.4-3

See the transcripts below and the message from Thomas Roessler on
linux-security.  Basically, some complete and utter idiot put an
implementation of [v]snprintf in libdb which just calls [v]sprintf,
without any bounds checking !

This means that any program linked against libdb which uses
[v]snprintf to try to prevent buffer overruns is now full of buffer
overruns !

AAARGH !  Who is the perpetrator of this braindamage and can I shoot
them please ?!

Ian.

-davenant:~/junk> cat t.c
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
int main(int argc, char **argv) {
  char buf[21]= "01234567890123456789";
  assert(argv[1]);
  snprintf(buf,10,">%s<",argv[1]);
  printf("}%s{\n",buf);
  if (ferror(stdout) || fflush(stdout)) { perror("stdout"); exit(1); }
  exit(0);
}
-davenant:~/junk> gcc -Wall t.c
-davenant:~/junk> ./a.out hello
}>hello<{
-davenant:~/junk> ./a.out hello-there-people
}>hello-th{
-davenant:~/junk> gcc -Wall t.c -ldb
-davenant:~/junk> ./a.out hello
}>hello<{
-davenant:~/junk> ./a.out hello-there-people
}>hello-there-people<{
-davenant:~/junk> 

-davenant:~> nm -a /usr/lib/libdb.a
...
snprintf.o:
00000000 t 
00000000 d 
00000000 b 
00000000 ? 
00000000 ? 
00000000 t gcc2_compiled.
00000000 T snprintf
00000020 T vsnprintf
         U vsprintf
-davenant:~> 

> chiark.mail.linux-security (no posting) #1335 (0 + 20 more)
> Date: Thu Jul 10 01:52:33 BST 1997
> From: Thomas Roessler <roessler@guug.de>
> Subject: [linux-security] so-called snprintf() in db-1.85.4
> 
> Hi,
> 
> There is a severe problem with the db-1.85.4 library's Linux
> port that can be found on sunsite.unc.edu under
> /pub/Linux/libs/db-1.85.4-src.tar.gz (sp?): This library
> contains a "snprintf" function which breaks down to a common
> sprintf, ignoring the size parameter.  Obviously, this was
> thought to be a terribly bad work-around for C libraries which
> don't contain an snprintf routine of their own.  The
> consequences of this bug are obvious: Any program which is
> linked with libdb.so.1.85.4 and relies on snprintf(3) to do
> it's bounds checking doesn't have any bounds checking at all.
> 
> Note that recent linux C libraries contain an snprintf(3)
> function of their own which does it's job properly.  Thus, the
> fix is to simply remove snprintf.o from libdb.
> 
> tlr
> -- 
> Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
>    1280/593238E1 · AE 24 38 88 1B 45 E4 C6  03 F5 15 6E 9C CA FD DB

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org .
Trouble?  e-mail to templin@bucknell.edu .