Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines

[perry () piermont com (Perry E. Metzger)]

Charles Hannum writes:
> Your original patch has a couple of problems; mainly, `p' can still
> overrun the end of the buffer,

Yup. You forgot another one -- my patch doesn't deal with the %m case
appropriately, since it might end up passing a negative number to
snprintf. Luckily, none of these can be exercised by sendmail or the
other daemons to break security as it stands, but it still has to be
fixed. I was tired. Mea culpa, mea culpa, mea maxima culpa. In any
case, you've indirectly the second problem by eliminating the %m
handling and directly fixed the first.

> In addition, the old special-case handling of `%m' is annoying; it
> really should be done in vsnprintf().

Thor and I were noting this last night.

However, the one problem that I'll note is that, having altered the
stdio code, it is now not possible to simply replace the syslog(3)
portion of your libraries -- important on machines that don't have
source. (Note that this is also going out to bugtraq as well as
current-users; most of the people on bugtraq are not as fortunate as
we are to be running an operating system that they have control over).

However, handling this in the stdio library is "the right thing".

(It would be nice if format character handling was extensible with
some sort of generic programatic interface, btw. Often one wants to do
things like this.)

> Here's a replacement set of patches.  Please note that I have *not*
> tested this.

Famous last words, Charles... :-)

Perry