Implications of recent virus (Trojan Horse) attack
Doug Gwyn
gwyn at smoke.BRL.MIL
Tue Nov 15 07:54:51 AEST 1988
In article <17519 at adm.BRL.MIL> rbj at nav.icst.nbs.gov (Root Boy Jim) writes:
>I can imagine you crusading against gets() in both the C and POSIX
>standards and I hope you have had success in that area. I would go
>so far as to suggest that everyone remove this routine from libc.a
>and place it in a separate library available only upon special request
>for binary applications only, after filling out numerous forms.
Although I probably voted to remove gets() from the proposed C standard,
I will stand by X3J11's decision to leave it in. As explained in
discussions raging in comp.lang.c (INFO-C), there are safe uses for
gets(), its "problem" is well known, there are several other standard
library routines with similar characteristics, and a lot of existing
code uses it (sometimes safely, sometimes not).
People are focusing on the wrong problem. The Internet virus also
attacked through a hole unrelated to gets(), and I know of at least
three other such holes. The general problem is lack of sufficient
attention to detail in security-related code. You're not going to
solve this by outlawing a sometimes useful tool.
More information about the Comp.unix.wizards
mailing list