Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] Now what? Glibc bug, vulnerability
On 02/17/2016 08:12 AM, Stevens wrote:
On 02/17/2016 08:50 AM, Anton Aylward wrote:
On 02/17/2016 02:50 AM, Marcus Meissner wrote:
attributes many of the problems we have with 'memory' wrt secuyrity to
the use of C and C++.

Yeah. Read another interesting article on the underlying problem last night
and, having done some
application development in a previous life, I agree wholeheartedly with the
"C is the cause for most
security vulnerabilities" thread. C (and its cousins) has (had?) no function
length parameters built
in. You have a 1024 byte buffer area and a C function that takes data up
until it gets a null (or
something) with nothing to tell it that there should only be no more than
1024? Buffer overflow
guaranteed, every time.

True, the lack of built in reference (size) checking in the normal course of
code is a fundamental
flaw. And one that is taken care of in other languages. In some languages if
you want
to reference areas beyond your defined buffer length you have to contrive to do
so, the code will
crash if you don't.

That being said, if such range checking were suddenly added to C, the entire
would come crashing down, because programming practices of the past will take
total re-writes to overcome.

Linux is created with C. Can you say potentially worse than Windows ever
thought of being, security wise?

Windows is mostly written in C and C++ as well, so you can't lay that baby at
Linux's door.

IMHO, the only thing that has given Linux the perception of being so secure
is the fact that with
such a small installed desktop base it just hasn't been worth the effort to
develop malicious code
when attacking Windows is so much more lucrative. But those days are past.
Android is (sorta) Linux
and look at how it is attacked because it is #1 OS on the planet. But, I
digress ...
C is the problem.

Ah, the Bill Gates argument. Windows is only attacked because its popular, not
because its easy.
Sorry. Not buying it.

After all is said and done, more is said than done.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >