This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: US-CERT Vulnerability Note VU#162289
* Robert Dewar:
> To me, the whole notion of this vulnerability node
> is flawed in that respect. You can write a lengthy
> and useful book on pitfalls in C that must be
> avoided, but I see no reason to turn such a book
> into a cert advisory,
I think it's useful to point out in security advisories widespread
coding mistakens which are particularly security-related. Perhaps I'm
biased because I did that for incorrect integer over flow checks in C
code back in 2002. My motivation back then was that advisories were
published about common configuration mistakes, even though the
underlying tool was working as documented--and misusing a compiler seems
to fall in the same category.