SECURITY: bug in Berkeley DB on some systems (eg. Solaris <= 2.5)

[Frederic Devernay <devernay istar fr>]

The Berkeley DB (www.sleepycat.com) is a database library used by perl 
(if you enabled it at compile-time), GNOME (www.gnome.org), and other
software.

It provides an alternate implementation of snprintf() for systems that
don't have this function (eg. Solaris up to version 2.5), but this
implementation is just calling vsprintf, and thus may cause buffer
overruns.  Implementations from version 1.85 up to the most recent
beta (2.5.9) all use this fake snprintf.

I noticed this bug while running GNOME applications which were linked
with -ldb _before_ the library that provides a clean snprintf.

I didn't check if PERL is affected by this bug.  At least Berkeley DB
itself is affected since it will always use its own snprintf().

Included is the test program that shows the vulnerability

/* Berkeley db bug on Solaris <= 2.5 */
/*
gcc -g test.c -ldb -o test;./test
gcc -g test.c snprintf-1.85.c -o test-1.85;./test-1.85
gcc -g test.c snprintf-2.5.9.c -o test-2.5.9;./test-2.5.9
*/
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>

main() {
  char str[80];
  memset(str,0,80);
  printf("str=%s, len=%d\n",str,strlen(str));
  snprintf(str,40,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
  printf("str=%s, len=%d\n",str,strlen(str));
  assert(strlen(str)<=40);
}