> > >Just because a syslog formatting was improved doesn't mean that a security
> > >issue was fixed. Probably the vulnerability wasn't even known.
> >
> > Sorry, I can't parse that.
>
> I read that as:
>
>   "Some syslog formatting was improved -- not particularly thinking
>    of whether the change had anything to do w/ security.  It just so
>    happens that in this particular case this fixed a security problem --
>    one that wasn't known by the person doing the fixing at the time."

Well, it was found during a 'sweep', was it not?  And I think it's a safe
assumption that this format string sweep was carried out to find
possible security problems.

I found the NetBSD response in the CERT advisory a little strange myself
-- it seems to me that a bug discovered in ISC dhcpd would
have been worth looking into.  Related to logging too, .. to me,
it would have appeared a candidate for being exploitable.

Not suggesting that this was intentional, NetBSD has a good track record
for taking the initiative (for example, the i386 LDT bug).

Dave Ahmad
SecurityFocus
www.securityfocus.com