Vulnerability Development mailing list archives
Re: UCD-4.2.2 snmptrapd verification
From: Olaf Kirch <okir () caldera de>
Date: Mon, 18 Feb 2002 18:02:33 +0100
On Fri, Feb 15, 2002 at 10:39:51AM -0500, KF wrote:
http://www.security-focus.com/bid/4088 stated that UCD-4.2.2 was not vulnerable to trap handling vulnerabilities. I can verify that this is NOT the case and that it is indeed vulnerable to the trap issues.
When we investigated this issue in OpenLinux we also found that snmptrapd
was dying, but when wr investigated this we found that these crashes were
caused by libdb, which by default replaces snprintf() with an
implementation that simply does a vsprintf() on the arguments. Needless to
say, snmptrapd is linked against libdb for some reason or other.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- UCD-4.2.2 snmptrapd verification KF (Feb 15)
- Re: UCD-4.2.2 snmptrapd verification Olaf Kirch (Feb 18)
- Re: UCD-4.2.2 snmptrapd verification Wes Hardaker (Feb 19)
- Re: UCD-4.2.2 snmptrapd verification KF (Feb 19)
- Re: UCD-4.2.2 snmptrapd verification Olaf Kirch (Feb 20)
- Re: UCD-4.2.2 snmptrapd verification Olaf Kirch (Feb 18)