Re: buffer overrun in zlib 1.1.4

[Thamer Al-Harbash <tmh () whitefang com>]

On Sat, 22 Feb 2003, Richard Kettlewell wrote:

> There is an internal #define (HAS_vsnprintf) that causes it to use
> vsnprintf() instead of vsprintf(), but this is not enabled by default,
> not tested for by the configure script, and not documented.

This is a fairly normal (and somewhat frightening) practice I've
seen in several popular packages.

Last I checked ISC dhcp has a #define for vsnprintf to be
vsprintf if the UNIX flavor did not support snprintf.

medusa: {29} cd dhcp-3.0pl2
medusa: {30} grep sprintf `find . -name "*.h"` | tail -10
./includes/cf/qnx.h:# define vsnprintf( buf, size, fmt, list )  vsprintf( buf, fbuf, list )
./includes/cf/sample.h:   sprintf functions which will deposit a limited number of characters
./includes/cf/sample.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
./includes/cf/sco.h:/* SCO doesn't support limited sprintfs. */
./includes/cf/sco.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
./includes/cf/sunos4.h:/* SunOS doesn't support limited sprintfs. */
./includes/cf/sunos4.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
./includes/cf/sunos5-5.h:/* Solaris doesn't support limited sprintfs. */
./includes/cf/sunos5-5.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
./includes/cf/ultrix.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)

I know that Ted Lemon, the primary author, is aware this. I've
mentioned it to him a while ago. I am also not aware of this
causing any security holes; although I honestly have not given
his source a security audit.

There are replacement 'snprintf' packages which avoid
this. Patrick Powell's replacement is used in Mutt (a popular
MUA) and has a very liberal license.

-- 
Thamer Al-Harbash            http://www.whitefang.com/
          team dresch made me do it