oss-sec mailing list archives

Re: Thoughts on Shellshock and beyond

From: Florian Weimer <fweimer () redhat com>
Date: Wed, 15 Oct 2014 11:30:08 +0200

On 10/14/2014 11:45 PM, David A. Wheeler wrote:

The most obvious example of an underused tool is memory-safe languages.
Shellshock would not have been countered by them,
but Heartbleed (and many others) *would* have been countered.

Buffer reuse is common in languages with memory safety (so that I/Othroughput is not bounded by garbage collector throughput). The impactis reduced (you only leak prior buffer contents, whatever that might be,not anything which happens to be in the vicinity on the heap). But Idon't think it's true that memory safety prevents such information leaks.


--
Florian Weimer / Red Hat Product Security

Current thread:

Re: Thoughts on Shellshock and beyond, (continued)
- - - Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 09)
    - Re: Thoughts on Shellshock and beyond Tim (Oct 08)
    - Re: Thoughts on Shellshock and beyond John Haxby (Oct 09)
    - Re: Thoughts on Shellshock and beyond Kobrin, Eric (Oct 09)
    - Re: Thoughts on Shellshock and beyond Stephane Chazelas (Oct 08)
    - Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
    - Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 14)
  - Re: Thoughts on Shellshock and beyond Robert Watson (Oct 14)
  - Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 15)
    - Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 15)