Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EMERGENCY: new remote root exploit in UW imapd

From: easmith () BEATRICE RUTGERS EDU (Allen Smith)
Date: Mon, 20 Jul 1998 21:13:31 -0400

On Jul 16, 11:04pm, Perry E. Metzger (possibly) wrote:

Craig Spannring writes:

C should not be used for trusted programs.


Unfortunately, there are not really good open source alternatives. GCC
is everywhere.

One thing that I wonder about, though, is that several years ago, some
guy in the U.K. did a bounds checking version of GCC. It would be Very
Neat if someone were to track that down and get the egcs people to
make it available.


http://www-dse.doc.ic.ac.uk/~rj3/bounds-checking.html

This is for 2.7.2. Be forewarned that it results in _very_ slow
programs - an example was cited on the FreeBSD-security mailing list
as follows (Don.Lewis () tsc tdk com):

|It may be worse than that.  In a desparate attempt to track down a
|bug in BIND, I recompiled it with the bounds checking version of
|gcc.  On a fairly zippy machine, it took about half an hour to load
|a few zones with a total of a few hundred hosts.  Under light query
|load it was gobbling about 30% of the CPU.

|In the situations where I've used code compiled this way, it seems
|to average about a factor of 20 more expensive in terms of CPU usage.


In the long run, I'm hoping for Java front ends for GCC that make it
possible to do reasonable open source programming in a reasonable
language. Until then...


I'd add that a Perl compiler is in development.

        -Allen


--
Allen Smith                             easmith () beatrice rutgers edu
Previous By Date Next
Previous By Thread Next

Current thread: