snprintf(3c) redefined by libdb-1.85.4

Description:This idiotic library redefines snprintf() and vsnprintf() to ignore the length parameter! Thus any programs which use *nprintf() for bounds checking and link to can be subverted! Sendmail may very well be vulnerable.
Author:Thomas Roessler <>
Compromise:subvert programs which use
Vulnerable Systems:Linux programs using, as well as other versions.
Date:8 July 1997

Date: Tue, 8 Jul 1997 21:33:55 +0200
From: Thomas Roessler <>
Cc: The mutt developpers' list <>,
Subject: [linux-security] so-called snprintf() in db-1.85.4

    [The following text is in the "iso-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]


There is a severe problem with the db-1.85.4 library's Linux
port that can be found on under
/pub/Linux/libs/db-1.85.4-src.tar.gz (sp?): This library
contains a "snprintf" function which breaks down to a common
sprintf, ignoring the size parameter.  Obviously, this was
thought to be a terribly bad work-around for C libraries which
don't contain an snprintf routine of their own.  The
consequences of this bug are obvious: Any program which is
linked with and relies on snprintf(3) to do
it's bounds checking doesn't have any bounds checking at all.

Note that recent linux C libraries contain an snprintf(3)
function of their own which does it's job properly.  Thus, the
fix is to simply remove snprintf.o from libdb.

Thomas Roessler  74a353cc0b19  dg1ktr
   1280/593238E1  AE 24 38 88 1B 45 E4 C6  03 F5 15 6E 9C CA FD DB

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: