Re: SECURITY: bug in Berkeley DB on some systems (eg. Solaris <= 2.5) [#375]



I do not believe that this report is entirely correct.

> [Berkeley DB] provides an alternate implementation of snprintf() for
> systems that don't have this function (eg. Solaris up to version 2.5),
> but this implementation is just calling vsprintf, and thus may cause
> buffer overruns.  Implementations from version 1.85 up to the most recent
> beta (2.5.9) all use this fake snprintf.

The fake snprintf is only loaded in Berkeley DB version 2 if the local
system libraries do not have their own version of snprintf.  The test is
done using autoconf, specifically by the macro call:

	AC_REPLACE_FUNCS(snprintf)

in the autoconfigure description file, db/dist/configure.in.

Berkeley DB 1.85 does not use autoconf for configuration.  However, it
doesn't load the fake snprintf unless the Makefile is set to compile/load
the snprintf.o file, i.e. it requires some amount of user intervention
before it will use its own snprintf.

> I noticed this bug while running GNOME applications which were linked
> with -ldb _before_ the library that provides a clean snprintf.

I don't understand how this can happen, unless there is a bug in the
snprintf() detection by the Berkeley DB autoconf support.

> I didn't check if PERL is affected by this bug.  At least Berkeley DB
> itself is affected since it will always use its own snprintf().

I believe this is incorrect.  As described above, Berkeley DB should only
use its own snprintf() when the system does not have a snprintf() routine,
or when explicitly configured to do so.

Finally, for the obvious reasons, the Berkeley DB version 2.X releases
don't use any variant of the sprintf call on any string specified by
an application, i.e., it will be very, very difficult to cause a buffer
overflow even when the fake snprintf is loaded.

Note, there are serious problems in the Berkeley DB 1.85 version of the
Berkeley DB software, and I would strongly urge you to upgrade to Berkeley
DB version 2, available from the Sleepycat Software web site.  Berkeley
DB version 2 includes a fully compatible API for the 1.85 release, as well
as utilities to convert your historic databases to the version 2 formats.

For future reference, this Support-Request is #375.

Regards,
Amy Adams

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Amy Adams			Berkeley DB Product Manager
Sleepycat Software Inc.		db@sleepycat.com
394 E. Riding Dr.		+1-617-633-2429
Carlisle, MA 01741		http://www.sleepycat.com



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]