[Announce] GnuPG 1.4 and 2.0 buffer overflow

Robert J. Hansen rjh at sixdemonbag.org
Tue Nov 28 09:32:27 CET 2006


Werner Koch wrote:
> If you want protection against buffer overflow, audit the code and
> use an OS which traps execution of code at arbitrary addresses.

A different approach would be to use a language in which buffer
overflows are simply not possible.  Ada95 is an example of a language
which compiles to fast native code and has robust protections against
buffer overflow.

Following this thread further would probably go very much off-topic for
gnupg-devel, but the contrary view--that C is simply the wrong language
to use for security-critical software--should at least be mentioned, I
think.

(Note: Ada95 is used as an example.  I'm not actually suggesting GnuPG
should be, or should have been, written in it.)





More information about the Gnupg-devel mailing list