On Mon, 2 Nov 1998, Andrew Brown wrote:

: the only problem with this (ie, why i didn't simply do this but
: instead did the whole routine as advised by ibm in the rootshell
: advisory) is because of this nice big comment at the top of the
: snprintf.h file that you're supposed to steal from the ssh2 package:

:    NOTE: This does NOT work identically with BDS's snprintf.

: they're subtlely different and where security is concerned, i'd rather
: not fiddle about with maybes.

However, the comment indicates that the snprintf from ssh2 has the
ambiguity--you'd be changing behavior by using it.  Remember, you're
replacing calls to _BSD's_ vsprintf with _BSD's_ vsnprintf, which changes no
functionality.

-- 
-- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)