Dave Korn wrote: [ ... lots of exciting commentary on scientific method/etc. that I leave out for the protection of the innocent ... ]
Huzzah! Way to stick it to the man! :-) :-) > This VU falls massively far below the standards we have come to expect > from CERT, and should be withdrawn and reworked from scratch Good idea, although they already did rework it, and I doubt they're going to withdraw it when it really is a potential vulnerability that was apparently detected in the wild. Looking through the new version, it doesn't seem all that bad to me. The only problem is the GCC note, which has an untempered recommendation to consider old versions. That warning is still misguided, but you're not going to get very far trying to say it is entirely wrong. There *may be* someone that could be negatively affected by moving to a new version, and RCS has implied that they can name a case where this is true. Maybe we can convince them to temper the warning, I guess. [I mean really, changing the compiler in any way could trigger vulnerabilities if you have no idea what you're shoving into it. If you cannot depend at all on the quality of your code, test it well and never recompile it. But that path can easily devolve into a religious debate.] Meanwhile, there is an opportunity for a vendor response that will be added verbatim. Is anyone working on one for GCC? I think that would go a long way. gsw
