Subject: Re: Addition to force open to open only regular files
To: None <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 11/30/2000 15:52:14
[ On Tuesday, November 28, 2000 at 10:15:22 (-0500), Todd Vierling wrote: ]
> Subject: Re: Addition to force open to open only regular files
> That's just not true. Solving buffer overflows involves writing smarter
> code. Buffer overflows happen _exclusively_ because of programmer laziness.
Yeah, but buffer overflow exploits are successful exclusively because
the code that suffers them still has set-ID privileges.
> It's really not that hard to see that strcat(), sprintf() (without size
> limiters in the format), etc. are just not safe to use in any well-written
> program, setuid or not.
Bull. That statement implies that programmers can't even count. Those
kinds of functions can be used safely, and removing them from libc
doesn't prevent a sloppy programmer who can't count from making similar
mistakes in his or her own for/while/do loops! I.e. blaming the
buffer-overflow problem on the likes of strcat() is extremely naive.
Greg A. Woods
+1 416 218-0098 VE3TCP <email@example.com> <robohack!woods>
Planix, Inc. <firstname.lastname@example.org>; Secrets of the Weird <email@example.com>