[7318] in bugtraq
Re: Buffer overflows. was Re: EMERGENCY: new remote root exploit
daemon@ATHENA.MIT.EDU (Geoffrey KEATING)
Mon Jul 20 22:03:45 1998
Date: Mon, 20 Jul 1998 13:23:42 +1000
Reply-To: Geoffrey KEATING <geoffk@DISCUS.ANU.EDU.AU>
From: Geoffrey KEATING <geoffk@DISCUS.ANU.EDU.AU>
X-To: cts@INTERNETCDS.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199807172249.PAA11364@bangkok.office.cdsnet.net> (message from
Craig Spannring on Fri, 17 Jul 1998 15:49:02 -0700)
> Date: Fri, 17 Jul 1998 15:49:02 -0700
> From: Craig Spannring <cts@INTERNETCDS.COM>
> The responses I've gotten can be grouped into the following broad
> categories-
>
> 1) Life would be good if we eliminated C and we will.
> 2) Life would be good if we eliminated C, but we can't.
> 3) C is the only language fast enough.
> 3) Eliminating buffer overflows is nice, but won't solve most of
> the problems.
> 3) You can write safe code in C using strncpy, snprintf, et al.
> 4) Only morons write code with buffer overflows
> 5) Modula-2 and Ada suck and you do you.
You missed one:
5) Modula-2 and Ada are just as insecure if you turn off array
bounds checking.
The language is not the problem; it's the absence of array bounds
checking. There are a number of C compilers that will check your
bounds for you, there's even a modified gcc that will do this.
--
Geoff Keating <Geoff.Keating@anu.edu.au>
