From owner-freebsd-security  Fri Jul 17 16:40:37 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA16857
          for freebsd-security-outgoing; Fri, 17 Jul 1998 16:40:37 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: (from jmb@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA16849;
          Fri, 17 Jul 1998 16:40:33 -0700 (PDT)
          (envelope-from jmb)
From: "Jonathan M. Bresler" <jmb>
Message-Id: <199807172340.QAA16849@hub.freebsd.org>
Subject: Re: Buffer overflows.  was Re: EMERGENCY: new remote root exploit in UW imapd
In-Reply-To: <199807172249.PAA11364@bangkok.office.cdsnet.net> from Craig Spannring at "Jul 17, 98 03:49:02 pm"
To: cts@internetcds.com (Craig Spannring)
Date: Fri, 17 Jul 1998 16:40:33 -0700 (PDT)
Cc: bugtraq@netspace.org, nobody@replay.com, freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Craig Spannring wrote:



[snip]
> People that say eliminating buffer overflows won't have much benefit
> need to examine some data.  I took a look at some recent bugtraq
> messages.  Out of 19 security defects 7 of them were buffer overflows,

	buffer overflows are in vogue right now.
	everyone is looking for them everywhere.
	on one hand this is good.  lots of people will
	learn about them.  on the other hand, this distracts
	from other problems.
[snip]
> I've repeatedly heard that in the hands of a good programmer that C is
> safe and it is only morons write code with buffer overflows.  A lot of
> people seem to think that Eric Allman is a pretty sharp programmer,

	yeah...but remember that sendmail has evolved over years
	to meet various needs.  when eric started writing sendmail
	and even years into it, who would have expected the 
	enviroment sendamil faces today?  its really not fair to
	eric to pull work from one decade into another.
[snip]
>    // Java
>    do {
>      buf[i] = getNextByteFromNextwork();
>    while ('\n' != buf[i++]);
> 
>    /* C */
>    do {
>      buf[i] = getNextByteFromNextwork();
>    while ('\n' != buf[i++]);

	this is time-wrapping again....k & r made the correct decision
	at the time.  today, is not then.  Java is cool...i hope it
	will be fast soon.

jmb

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message