COMMAND

    SC-dhcpd, ucd-snmp

SYSTEMS AFFECTED

    iscdhcp

PROBLEM

    Chris  Evans   found  following.    More   format  string    bugs.
    Exploitability on these has  not really been researched.   Current
    feeling is "maybe  exploitable under certain  circumstances or/and
    configurations".

    An in-depth discussion is not required.  Here are the locations of
    the code flaws:

        [root@localhost dhcp-2.0]# pwd
        /usr/src/redhat/BUILD/dhcp-2.0
        [root@localhost dhcp-2.0]# find . -name \*.c | xargs grep syslog |less
        ./client/dhclient.c:    /* Initially, log errors to stderr as well as to syslogd. */
        ./common/errwarn.c:  syslog (log_priority | LOG_ERR, mbuf);
        ./common/errwarn.c:  syslog (LOG_CRIT, "exiting.");
        ./common/errwarn.c:  syslog (log_priority | LOG_ERR, mbuf);
        ./common/errwarn.c:  syslog (log_priority | LOG_INFO, mbuf);
        ./common/errwarn.c:  syslog (log_priority | LOG_DEBUG, mbuf);
        ./common/errwarn.c:     syslog (log_priority | LOG_ERR, mbuf);
        ./common/errwarn.c:     syslog (log_priority | LOG_ERR, token_line);
        ./common/errwarn.c:             syslog (log_priority | LOG_ERR,
        ./relay/dhcrelay.c:     /* Initially, log errors to stderr as well as to syslogd. */
        ./server/dhcpd.c:       /* Initially, log errors to stderr as well as to syslogd. */
        [root@localhost dhcp-2.0]#

        ---
        ucd-snmp-4.1.2/snmplib/snmp_logging.c
        snmp_log_string()
        ~line 183

        ...
          if (do_syslogging) {
            syslog(priority, string);
          }
        ...
        ---

SOLUTION

    It's  an  "alertness"  thing,  not  an  exploitability thing.  The
    presence of  these format  string bugs  shows a  lack of  security
    alertness, regardless of whether  or not these specific  instances
    are exploitable.  Very few people seem to be responding adequately
    to the format strings threat. OpenBSD is one of exceptions.