Statement on the Posadis format string bugs
===========================================

This is a reaction to the following SecurityFocus article:
  http://online.securityfocus.com/bid/4378

m5pre1 format string bug
------------------------

Posadis version 0.50.1 had an error in its logging functionality, causing
non-validated data to be able to be used as the first argument of the printf()
function. Read the SecurityFocus entry here. This bug could easily be locally
triggered by entering format string codes in configuration files or on the
command line, in many cases causing Posadis to crash by reading inaccessible
memory.

However, this format string bug, as we firmly believe, was not remotely
exploitable. There has never been any proof of this, and in fact, this is
impossible since no calls to the vulnerable log_print() function of Posadis
contain data from incoming queries. Query logging functionality was added in
Posadis Milestone 5, after which the bug had been fixed.

m5pre2 format string bug
------------------------

Additionally, Posadis m5pre2 contained another programming error, because the
vsprintf() call was used on a fixed-size buffer. This bug, which was locally
exploitable as well, was fixed before query logging was added as well, and is
therefore not remotely exploitable either.