Vulnerability Development mailing list archives
Re: UCD-4.2.2 snmptrapd verification
From: Wes Hardaker <wes () hardakers net>
Date: Tue, 19 Feb 2002 06:33:44 -0800
On Mon, 18 Feb 2002 18:02:33 +0100, Olaf Kirch <okir () caldera de> said:
Olaf> On Fri, Feb 15, 2002 at 10:39:51AM -0500, KF wrote:
http://www.security-focus.com/bid/4088 stated that UCD-4.2.2 was not vulnerable to trap handling vulnerabilities. I can verify that this is NOT the case and that it is indeed vulnerable to the trap issues.
Olaf> When we investigated this issue in OpenLinux we also found that Olaf> snmptrapd was dying, but when wr investigated this we found that Olaf> these crashes were caused by libdb, which by default replaces Olaf> snprintf() with an implementation that simply does a vsprintf() Olaf> on the arguments. Needless to say, snmptrapd is linked against Olaf> libdb for some reason or other. Ah! Thanks for letting me know about the library causing the problem. I was in fact going to go try and trace down the printf bug that I had also been seeing. I was probably going to start with glibc and get very confused, so thanks! -- "Ninjas aren't dangerous. They're more afraid of you than you are of them."
Current thread:
- UCD-4.2.2 snmptrapd verification KF (Feb 15)
- Re: UCD-4.2.2 snmptrapd verification Olaf Kirch (Feb 18)
- Re: UCD-4.2.2 snmptrapd verification Wes Hardaker (Feb 19)
- Re: UCD-4.2.2 snmptrapd verification KF (Feb 19)
- Re: UCD-4.2.2 snmptrapd verification Olaf Kirch (Feb 20)
- Re: UCD-4.2.2 snmptrapd verification Olaf Kirch (Feb 18)