Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] Now what? Glibc bug, vulnerability

On 2/18/2016 10:59, Anton Aylward wrote:
On 02/18/2016 10:47 AM, Ruben Safir wrote:
On 02/17/2016 11:12 AM, Stevens wrote:

Yeah. Read another interesting article on the underlying problem last
night and, having done some application development in a previous life,
I agree wholeheartedly with the "C is the cause for most security
vulnerabilities" thread.

No. Actually, it is not so easy to overrun a buffer on a modern OS, but
putting that aside, there are many times the checking for a memory size
is detrimental to the softwares function, especially in video and games.
The evidence is otherwise.
SANS surveys software bugs and security problems and "buffer overrun"
and "SQL injection" have been the 31 and #2 issues, changing place at
the top of the list, for well over a decade.

The whole issue of not checking things for the sake of speed is all to
often a mis-placed excuse. In all my years of programming and auditing
programming and maintaining programs, I keep finding this weak excuse to
justify even things like ignoring the return values of system calls.
I recall one instance with a backup program supplied by a TLA company
that was quite repeatable and verified by other users, but the people at
support refused to admit that it was "writing" past the end of the
media. We could back up a 10G drive onto a 360K floppy disk with no
errors being reported.

You can't blame the programming language for the stupidity of the
programmer. the reason C is the goto language for all things important
is because it is powerful. It is. And that power is felt in the hands
of the coder.
Right, so lets hand out powerful weapons like thermonuclear devices
willy-nilly. As I've pointed out, too many schools teach C syntax and
grammar but not good programming habits, correctness, or maintainability.

Being in denial over these matters does not contribute to solving the
problems we are facing.

The key is programming habits. Most low level code (kernel, system libs etc) are done in C/C++, hence most juicy buffer overflow targets rely on mistakes in C/C++ code. Write the low level code in another language, and you will be bad mouthing it just as much. Key is bad programming habits, not the language.


To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >