Bugtraq mailing list archives
Re: EMERGENCY: new remote root exploit in UW imapd
From: tai () URD SPIDERNET TO (FanLi Tai)
Date: Sun, 19 Jul 1998 01:00:59 -0500
On Thu, 16 Jul 1998, Craig Spannring wrote:
Anonymous writes: > In some ways, it is depressing to find this new hole. Programmers are > still making the same mistakes they have made for years. Doesn't anyone > learn from the past? Can strcpy() ever be used safely? Perhaps the > software development community, and certainly those writing network service > daemons that run as root, should discontinue using *any* C library > functions that do not include bounds checking information, such as > sprintf(), strcat(), and strcpy(). Yes, they *can* be used safely but the > potential for misuse is too great. When will we learn? When? C should not be used for trusted programs. The lack of true arrays with array bounds checking alone makes it too hazardous. How many buffer overflow attacks would we hear about if the trusted server programs were written using a language with bounds checking like Modula-2 or Ada? Zero.
First, let me say I'm not a programmer. I may know a little something about it, but that's all. Can't code worth a bean. One reason I can't code is because - where can you find information about safe coding? They certainly don't teach it in classes... There weren't any books on it, you basically either have to be very security conscious and actually sit down and have a long hard think about how each and every function works to even have a basic idea of where there are problems. Nothing a beginner can do very well. I've seen the question asked before, but haven't seen any good pointers towards information on "safe programming". Is there one? -Tai -- Software suppliers are trying to make their software packages more "user-friendly". ... Their best approach, so far, has been to take all the old brochures, and stamp the words, "user-friendly" on the cover. -- Bill Gates, Microsoft, Inc. [Pot. Kettle. Black.]
Current thread:
- EMERGENCY: new remote root exploit in UW imapd Anonymous (Jul 16)
- Re: EMERGENCY: new remote root exploit in UW imapd Craig Spannring (Jul 16)
- Re: EMERGENCY: new remote root exploit in UW imapd Perry E. Metzger (Jul 16)
- Writing safe code: Java? (was: Re: EMERGENCY: new remote root Art Werschulz (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Alec Kosky (Jul 16)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 17)
- Buffer overflows. was Re: EMERGENCY: new remote root exploit in Craig Spannring (Jul 17)
- Re: Buffer overflows. was Re: EMERGENCY: new remote root exploit Geoffrey KEATING (Jul 19)
- Re: EMERGENCY: new remote root exploit in UW imapd FanLi Tai (Jul 18)
- Re: EMERGENCY: new remote root exploit in UW imapd Brett Lymn (Jul 19)
- Re: EMERGENCY: new remote root exploit in UW imapd Perry E. Metzger (Jul 16)
- SECURITY: imap-4.1.final now available twiztah (Jul 16)
- Verity/Search'97 Security Problems Jay Soffian (Jul 16)
- New Java Security Flaw Found Gary McGraw (Jul 17)
- Re: New Java Security Flaw Found Greg Alexander (Jul 18)
- Re: New Java Security Flaw Found Sean Garagan (Jul 20)
- Fwd: Security warning: Netscape 4.0x https & Squid 1.2beta proxy Fred Donck (Jul 20)
- N-Base Vulnerability Advisory TTSG (Jul 20)
- IRIX 6.4 ioconfig(1M) and disk_bandwidth(1M) Vulnerability SGI Security Coordinator (Jul 20)
- IRIX 6.3 & 6.4 mailcap vulnerability SGI Security Coordinator (Jul 20)
- Re: New Java Security Flaw Found Greg Alexander (Jul 18)
(Thread continues...)
- Re: EMERGENCY: new remote root exploit in UW imapd Craig Spannring (Jul 16)