Re: EMERGENCY: new remote root exploit in UW imapd

[Alex Le Heux <alexlh@xxxxxxxx>]

>
>  I use strcpy() in a lot of code, and none of it had buffer overflows
>because buffers were properly allocated. OTOH, I had a horrible buffer
>overflow in a code that handled pointers by itself, and no sane bounds
>checker will notice it in that place unless it will have extremely high
>overhead.
>
>  As for other languages, who said that their implementations are safe? I
>have never seen a Java VM that didn't crash on some kind of memory/pointer
>manipulation bug.
>
>  Really there are two problems:
>
>   1. Programmers aren't good enough, so they write crappy code.
>   2. Programmers are always in a hurry, so they write crappy code.
>
>  Even though string manipulation libraries may help (at least they do in
>C++ sometimes) tools and languages are pretty much irrelevant to both
>above mentioned things.
>
This reminds me a bit of the arguments I hear from some people:

"I'm a good driver so I don't need to wear seatbelts"

Although the above post seems to extend it a bit:

"I'm a good driver so nobody has to wear seatbelts"

It is of course true that Great Programmers write less buffer overflows and
other bugs than Average Programmers, but by definition the Average guys
will always outnumber the Great guys.

Me? I'm not a programmer, not even an Average one. I am however a sysadmin,
who spends a considerable amount of time tracking down and fixing security
bugs. Many of which are bufferoverflows.

I would happily trade some of the performance of my machines for less
buffer overflows any day of the week.

Alex

---------------------------------------------------------------------------
                           WE ARE STALLMAN OF GNU
                            RESISTANCE IS FUTILE
                          YOU WILL BE ASSIMILATED
                  ALL YOUR CODE WILL SERVE THE COLLECTIVE