[Announce] GnuPG 1.4 and 2.0 buffer overflow

Christian Biere christianbiere at gmx.de
Thu Nov 30 17:30:29 CET 2006 

Werner Koch wrote:
> On Thu, 30 Nov 2006 12:42, christianbiere at gmx.de said:
> Portability is actually a security feature.  Only thinking Linux or
> BSD is narrow minded.
 
Actually, the "portability" argument supports my point of view because the
printf() family is - as some would call it - "non-portable" due to the huge
difference of implementations. So they are best avoided except for simple
cases. Instead of working around missing features and bugs in those, it's best
to use the same portable, easy-to-audit, non-error-prone functions for each
platform.

However, you have to differ. Some platforms support secure functions (which
prevent race-conditions, for example) that are missing on others and cannot be
replaced in userland because they require support by the kernel. In such cases,
I would certainly not back-off to the unsafe variant just for portability but
instead use the safer variant where possible. In case of GnuPG mlock() might be
a good example. On Linux and many other systems it typically requires
root-privileges, on BSD systems it doesn't instead there's a configurable
limit.

Also I don't think I qualify as BSD or Linux zealot because at the very least I
read the manual pages at opengroup.org before I use a new feature and also
those of IRIX and Solaris. However it's a shame that commercial vendors often
provide a very poor flavour of Unix compared to the freely available variants.

I wasn't actually asking you to rewrite or convert anything. My concern was
that you discouraged use of asprintf() and this was part of the official
announcement. Now asprintf() may not be the best choice. I just wanted to show
that there are other options besides malloc() + sprintf() that can be
considered.

> It is not about tools or languages.  It is about education and experience.
> Look at the polls done with first semester IT students: Most of them do not
> want to learn on porgramming, but to get a high paid manage job.  Guess what
> most of them eventually do: Writing C++, Java and PHP code.  Without being
> interested in the field of software architecture that leads to bad software.

Agreed. However, don't blame it only on the students. I don't think you can
learn C properly at a university because they're teaching Java nowadays and C
or C++ courses are often of dubious quality. Also few have a clue about what to
do with an IT graduate. They are frequently mistaken for "Programmer Gold Plus"
albeit that often isn't their strength at all.

-- 
Christian

More information about the Gnupg-devel mailing list