This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RE: US-CERT Vulnerability Note VU#162289

From: "Dave Korn" <dave dot korn at artimi dot com>
To: "'Daniel Jacobowitz'" <drow at false dot org>, "'Paul Koning'" <Paul_Koning at dell dot com>
Cc: <dewar at adacore dot com>, <mark at codesourcery dot com>, <rcs at cert dot org>, <neil at daikokuya dot co dot uk>, <davem at davemloft dot net>, <Joe dot Buck at synopsys dot COM>, <crd at cert dot org>, <gcc at gcc dot gnu dot org>, <cert at cert dot org>
Date: Fri, 25 Apr 2008 17:34:41 +0100
Subject: RE: US-CERT Vulnerability Note VU#162289
References: <20080423.054228.210900224.davem@davemloft.net> <480F3470.2050909@cert.org> <20080423152444.GC11922@synopsys.com> <20080423.153726.58194927.davem@davemloft.net> <20080424150632.GA19131@daikokuya.co.uk> <20080424150906.GB19131@daikokuya.co.uk> <4810A998.5080702@cert.org> <4810B10B.8010806@codesourcery.com> <4811F4E8.5080309@adacore.com> <18449.64661.900618.390597@gargle.gargle.HOWL> <20080425161110.GA24610@caradoc.them.org>

Daniel Jacobowitz wrote on :

> On Fri, Apr 25, 2008 at 11:45:25AM -0400, Paul Koning wrote:
>>  Robert> To me, the whole notion of this vulnerability node is flawed
>>  Robert> in that respect. You can write a lengthy and useful book on
>>  Robert> pitfalls in C that must be avoided, but I see no reason to
>>  Robert> turn such a book into a cert advisory, let alone pick out a
>>  Robert> single arbitrary example on a particular compiler!
>> 
>> I think that comment is absolutely correct.
> 
> The R in CERT is "Response" (at least it used to be; I can't find an
> expansion on their web site...).  They're responding to a problem that
> was reported to them, and alerting others to the problem.  We can
> argue about the details, but not about the need to respond.

  But the E is "Emergency".  This is not an emergency and does not demand an
*urgent* (and hence rushed and methodologically flawed) response; this is just
one more facet of the problems inherent in the design of the C language that
have been going on since /forever/.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

References:
- Re: US-CERT Vulnerability Note VU#162289
  - From: David Miller
- Re: US-CERT Vulnerability Note VU#162289
  - From: Chad Dougherty
- Re: US-CERT Vulnerability Note VU#162289
  - From: Joe Buck
- Re: US-CERT Vulnerability Note VU#162289
  - From: David Miller
- Re: US-CERT Vulnerability Note VU#162289
  - From: Neil Booth
- Re: US-CERT Vulnerability Note VU#162289
  - From: Robert C. Seacord
- Re: US-CERT Vulnerability Note VU#162289
  - From: Mark Mitchell
- Re: US-CERT Vulnerability Note VU#162289
  - From: Robert Dewar
- Re: US-CERT Vulnerability Note VU#162289
  - From: Paul Koning
- Re: US-CERT Vulnerability Note VU#162289
  - From: Daniel Jacobowitz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]