Bugtraq mailing list archives
Re: EMERGENCY: new remote root exploit in UW imapd
From: alexlh () FUNK ORG (Alex Le Heux)
Date: Wed, 22 Jul 1998 09:35:31 +0200
I use strcpy() in a lot of code, and none of it had buffer overflows because buffers were properly allocated. OTOH, I had a horrible buffer overflow in a code that handled pointers by itself, and no sane bounds checker will notice it in that place unless it will have extremely high overhead. As for other languages, who said that their implementations are safe? I have never seen a Java VM that didn't crash on some kind of memory/pointer manipulation bug. Really there are two problems: 1. Programmers aren't good enough, so they write crappy code. 2. Programmers are always in a hurry, so they write crappy code. Even though string manipulation libraries may help (at least they do in C++ sometimes) tools and languages are pretty much irrelevant to both above mentioned things.
This reminds me a bit of the arguments I hear from some people: "I'm a good driver so I don't need to wear seatbelts" Although the above post seems to extend it a bit: "I'm a good driver so nobody has to wear seatbelts" It is of course true that Great Programmers write less buffer overflows and other bugs than Average Programmers, but by definition the Average guys will always outnumber the Great guys. Me? I'm not a programmer, not even an Average one. I am however a sysadmin, who spends a considerable amount of time tracking down and fixing security bugs. Many of which are bufferoverflows. I would happily trade some of the performance of my machines for less buffer overflows any day of the week. Alex --------------------------------------------------------------------------- WE ARE STALLMAN OF GNU RESISTANCE IS FUTILE YOU WILL BE ASSIMILATED ALL YOUR CODE WILL SERVE THE COLLECTIVE
Current thread:
- Re: EMERGENCY: new remote root exploit in UW imapd, (continued)
- Re: EMERGENCY: new remote root exploit in UW imapd Allen Smith (Jul 20)
- Re: EMERGENCY: new remote root exploit in UW imapd Allanah Myles (Jul 20)
- Re: EMERGENCY: new remote root exploit in UW imapd Dave Andersen (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Jim Greene (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Peter Jeremy (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd IBS / Andre Oppermann (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd Adam Shostack (Jul 23)
- Security Bulletins Digest vtmue () HEAVEN RUF UNI-FREIBURG DE (Jul 23)
- Apache 1.3.1 Released! Aleph One (Jul 23)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd Alex Le Heux (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd der Mouse (Jul 28)
- Object tag crashes Internet Explorer 4.0 Georgi Guninski (Jul 28)
- Re: Object tag crashes Internet Explorer 4.0 Matt Rose (Jul 29)
- Re: EMERGENCY: new remote root exploit in UW imapd David Schwartz (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 29)
- Object tag crashes Internet Explorer 4.0 Georgi Guninski (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 29)
- Re: EMERGENCY: new remote root exploit in UW imapd Bill Royds (Jul 29)