Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 30 Sep 2023 20:26:45 +0200
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: Rust programs in distrbutions (Was:
 CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)

Dominique Martinet wrote in
 <ZRdyaYEi9YOZUXAg@...ewreck.org>:
 ...
 |For what it's worth,[.]

I want to point out to the surprise of many that languages like
C and C++ allow the possibility to create and use collection aka
container as well as string objects through which access at
invalid offsets etc cause runtime errors, or assertions aka
panics, however desired.
The same is true for loaders of multimedia formats, one can use
"functions" which ensure overflow does not occur.
On the other hand to me rust is a terrible thing, and often the
file prologues with lots of [] directives are deep and dark
forests.  This is of course my personal opinion only.
Objective fact is that many of the OSS tools which get CVEs here
do not see any noticeable money in a market of many many billion
and with tens of thousands of programmers; i do not count the
multi-million-line monsters browsers and offices here, it is only
about the hundreds to thousands of topic libraries, and the
hundreds to thousands little programs which make up a system.
I am super happy that OpenSSL is now funded!
It has an illness factor that it is ok to spend lots of time and
money for a from-scratch rewrite in "safe" language XY (rust, go,
swift (that i at least like a bit) etc), instead of allowing
people to put some sense in software which possibly was written
in a rapid development mode to fit some desire or lack.  Then
again from scratch rewrites of something that already has seen
a mature state regarding desired functionality, interface etc
may make things better than something out in the blue, started on
a friday night, and then filled over time with more and more
functionality as the smoke cleared away.
Putting blame on languages in specialist forums which know better
seems a bit odd.  Most bugs i unfortunately produce are logic
errors, no language will help.  Or recently a memory leak upon
SIGINT that causes this old software to longjmp away, i hope for
a rewrite to get rid of the jumps.
But yes yes, automatic checks and such are nice, i started (over
perl) with JAVA that does this.  I heard (IANA TZ started using
it) that new ISO C ships with checked arithmetic.  Maybe that
comes twenty years too late.  Maybe special types or prefixes
could have been used long ago to achieve the same more nicely,
compiler sizes seem not to be the issue.  But you _can_ if you
_want_ or _need_, .. since ever.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.