Date:         Thu, 16 Jul 1998 09:22:40 +0200
From:         Martin Bene <mb@SIME.COM>
Subject:      Berkley DB problem in slackware distribution

Hi!

I recently ran into a potential problem with berkley db 1.85 as distributed
with all versions of slackware linux: (fixed in slackware 3.5 as of 07.14.98)

libdb.so.1.85.4 defines snprintf and vsnprintf as calls to normal sprintf
and vsprintf.

Meaning: if you link any program against this lib and aren't careful about
library linking order, you'll overload the working procedures from libc
with the dummy-definitions from libdb and thus end up with broken (v)snprintf.

Your programs will be vulnerable to buffer overflows even though correctly
coded to avoid it. (I ran into this wile experimenting with a qpopper patch
to directly write sucessfull pop3 logins to a database for use with
sendmail pop_auth hack).

Bye, Martin

--------------------------------------------------
 Martin Bene               vox: +43-664-3251047
 simon media               fax: +43-316-813824-6
 Andreas-Hofer-Platz 9     e-mail: mb@sime.com
 8010 Graz, Austria
--------------------------------------------------
finger mb@mail.sime.com for PGP public key