Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp

[Chris Evans <chris () SCARY BEASTS ORG>]

Hi,

SUMMARY
-------

More format string bugs. Exploitability on these has not really been
researched. Current feeling is "maybe exploitable under certain
circumstances/configurations".

An in-depth discussion is not required. Here are the locations of the code
flaws:

---

[root@localhost dhcp-2.0]# pwd
/usr/src/redhat/BUILD/dhcp-2.0
[root@localhost dhcp-2.0]# find . -name \*.c | xargs grep syslog |less
./client/dhclient.c:    /* Initially, log errors to stderr as well as to
syslogd. */
./common/errwarn.c:  syslog (log_priority | LOG_ERR, mbuf);
./common/errwarn.c:  syslog (LOG_CRIT, "exiting.");
./common/errwarn.c:  syslog (log_priority | LOG_ERR, mbuf);
./common/errwarn.c:  syslog (log_priority | LOG_INFO, mbuf);
./common/errwarn.c:  syslog (log_priority | LOG_DEBUG, mbuf);
./common/errwarn.c:     syslog (log_priority | LOG_ERR, mbuf);
./common/errwarn.c:     syslog (log_priority | LOG_ERR, token_line);
./common/errwarn.c:             syslog (log_priority | LOG_ERR,
./relay/dhcrelay.c:     /* Initially, log errors to stderr as well as to
syslogd. */
./server/dhcpd.c:       /* Initially, log errors to stderr as well as to
syslogd. */
[root@localhost dhcp-2.0]#

---
ucd-snmp-4.1.2/snmplib/snmp_logging.c
snmp_log_string()
~line 183

...
  if (do_syslogging) {
    syslog(priority, string);
  }
...
---

Cheers
Chris