Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EMERGENCY: new remote root exploit in UW imapd

From: kragen () POBOX COM (Kragen)
Date: Fri, 17 Jul 1998 10:14:47 -0400

On Thu, 16 Jul 1998, Craig Spannring wrote:

Anonymous writes:
 > In some ways, it is depressing to find this new hole.  Programmers are
 > still making the same mistakes they have made for years.  Doesn't anyone
 > learn from the past?  Can strcpy() ever be used safely?  Perhaps the
 > software development community, and certainly those writing network service
 > daemons that run as root, should discontinue using *any* C library

C should not be used for trusted programs.  The lack of true arrays
with array bounds checking alone makes it too hazardous.


Many of the people on this list already know this, but there are
experimental bounds-checking extensions to gcc that do exactly what
you're looking for:

The first work I know of on bounds-checking for gcc was done by Richard
W. M. Jones and Paul Kelly, and is at
http://www.doc.ic.ac.uk/~phjk/BoundsChecking.html
Greg McGary <gkm () eng ascend com> did some other work.  Announcement:
http://www.cygnus.com/ml/egcs/1998-May/0073.html
Richard Jones and Herman ten Brugge did other work.  Announcement:
http://www.cygnus.com/ml/egcs/1998-May/0557.html
Greg compares different approaches in
http://www.cygnus.com/ml/egcs/1998-May/0559.html

Kragen
Previous By Date Next
Previous By Thread Next

Current thread: