[7340] in bugtraq
Re: EMERGENCY: new remote root exploit in UW imapd
daemon@ATHENA.MIT.EDU (Allen Smith)
Tue Jul 21 17:26:03 1998
Date: Mon, 20 Jul 1998 21:13:31 -0400
Reply-To: Allen Smith <easmith@BEATRICE.RUTGERS.EDU>
From: Allen Smith <easmith@BEATRICE.RUTGERS.EDU>
X-To: perry@piermont.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: "Perry E. Metzger" <perry@PIERMONT.COM> "Re: EMERGENCY: new
remote root exploit in UW imapd" (Jul 16, 11:04pm)
On Jul 16, 11:04pm, Perry E. Metzger (possibly) wrote:
> Craig Spannring writes:
> > C should not be used for trusted programs.
>
> Unfortunately, there are not really good open source alternatives. GCC
> is everywhere.
>
> One thing that I wonder about, though, is that several years ago, some
> guy in the U.K. did a bounds checking version of GCC. It would be Very
> Neat if someone were to track that down and get the egcs people to
> make it available.
http://www-dse.doc.ic.ac.uk/~rj3/bounds-checking.html
This is for 2.7.2. Be forewarned that it results in _very_ slow
programs - an example was cited on the FreeBSD-security mailing list
as follows (Don.Lewis@tsc.tdk.com):
|It may be worse than that. In a desparate attempt to track down a
|bug in BIND, I recompiled it with the bounds checking version of
|gcc. On a fairly zippy machine, it took about half an hour to load
|a few zones with a total of a few hundred hosts. Under light query
|load it was gobbling about 30% of the CPU.
|In the situations where I've used code compiled this way, it seems
|to average about a factor of 20 more expensive in terms of CPU usage.
> In the long run, I'm hoping for Java front ends for GCC that make it
> possible to do reasonable open source programming in a reasonable
> language. Until then...
I'd add that a Perl compiler is in development.
-Allen
--
Allen Smith easmith@beatrice.rutgers.edu
