Tim Winders <twinders_at_SPC.cc.tx.us> writes:
> As it turns out, Digital Unix 4.0D DOES have snprintf() as part of the
> /usr/lib/libdb.a library. I only had to include that library and
> everything is working great!
I'm going to violate list protocol for a moment for a security
warning:
Versions of Digital Unix prior to 4.0D have a *dummy* snprintf() in
libdb.a which discards the length limit and just does a sprintf.
Since snprintf() is often used for security reasons (to avoid buffer
overrun attacks), use of this dummy snprintf() could compromise the
security of your system. At the very least, it won't have the
behavior the programmer expected.
Fortunately, it looks like Digital fixed this in 4.0D (yay), so using
the snprintf() in libdb.a on 4.0D is safe; using the snprintf() from
libdb.a in previous versions of Digital Unix is not safe and should
be avoided.
--
Dan Riley dsr_at_mail.lns.cornell.edu
Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
"History teaches us that days like this are best spent in bed"
Received on Thu Mar 05 1998 - 23:33:41 NZDT