[Announce] GnuPG 1.4 and 2.0 buffer overflow

[Christian Biere]

Werner Koch wrote:
> > Also replacement implementations for snprintf() have been around for years
> > and vsnprintf() can be used to write your own asprintf() in about 5 lines.
> 
> va_copy is not a standard function/macro and actually missing on a lot

Nonsense. Do you want to deny that ISO C99 is a standard?

> of systems or again buggy.

Then send bug reports or stop supporting these systems. Do you think it's
alright to use flawed techniques just to "support" some broken and deprecated
systems? This might be acceptable as a temporary workaround but not more.

> Without that you can implement neither asprintf nor your proposed astrcat -
> unless you want to resort to realloc chains.

Indeed you don't need va_copy() at all. What is the problem with realloc()?
Are you now going to argue with performance concerns?

> Instead of repeating these old discussions over and over again,

This can't be discussed often enough. Instead of repeating the same bugs over
and over again, why don't you start to re-evaluate your tools? I'm not talking
about C itself.

> I wonder why people don't look at the code to figure out the flaws.  A
> bug lurking for 7 years and not detected by thousands of eyeballs
> scrutinizing every line of free code?  SCNR.

Because that's just a myth created by some open-source zealots. I think most
people have better things to do or maybe they are already busy with fixing
other software. Also you get tired of this pretty fast if you see people
repeating the same bugs. So you say it's a better idea to look for buffer
overflows and other bugs, providing patches, just so that people can add these
bugs again, instead of trying to tell them how they can avoid these in the
first place?

-- 
Christian