Re: UCD-4.2.2 snmptrapd verification

[Wes Hardaker <wes () hardakers net>]

> > > > > On Mon, 18 Feb 2002 18:02:33 +0100, Olaf Kirch <okir () caldera de> said:

Olaf> On Fri, Feb 15, 2002 at 10:39:51AM -0500, KF wrote:
> > http://www.security-focus.com/bid/4088 stated that UCD-4.2.2 was not 
> > vulnerable to trap handling vulnerabilities.
> > I can verify that this is NOT the case and that it is indeed vulnerable 
> > to the trap issues.

Olaf> When we investigated this issue in OpenLinux we also found that
Olaf> snmptrapd was dying, but when wr investigated this we found that
Olaf> these crashes were caused by libdb, which by default replaces
Olaf> snprintf() with an implementation that simply does a vsprintf()
Olaf> on the arguments.  Needless to say, snmptrapd is linked against
Olaf> libdb for some reason or other.

Ah!  Thanks for letting me know about the library causing the
problem.  I was in fact going to go try and trace down the printf bug
that I had also been seeing.  I was probably going to start with glibc
and get very confused, so thanks!

-- 
"Ninjas aren't dangerous.  They're more afraid of you than you are of them."