Re: [Ifile-discuss] Ifile

[Preben Randhol]

Jason Rennie <address@hidden> wrote on 16/04/2003 (19:31) :
> 
> Do you have any idea how important it is to address these issues?  It 
> would certainly be important if ifile is normally run as root, but as far 
> as I know, it usually is not.

This is a misconception which is widespread. For a user it doesn't
matter if the system wasn't compromised when all his data and work is
destroyed or tampered with. Just look at the mail viruses in the M$
windows world. You don't need root premissions to be affected by this.

So I think it is important to address these issues, yes. Personally I
use the Ada95 programming language as this addresses these problems. I
mean it has boundary checks, safe pointers etc... When you are using C
you have to make sure you are doing this correctly by hand.

If you examine the security reports you'll see that 80-90% are due to
buffer overflow. And I would be pretty sure that if you correlate this
with the programming language used you will find that C or C++ has been
used in more or less all cases. Therefore it is important to raise
awareness of this and that people use tools like flawfinder or RATS to
help at least find some of the problems. The other thing is of course to
review the code by reading through it.

I recommend reading this HOWTO: http://www.dwheeler.com/secure-programs/

> I've added a bug that includes your e-mail so that we have a record of 
> the flawfinder run.

Good :-)

As to ifile it looks very nice. I see I have to train it harder :-).
I started using it to filter my mail into folders and it is missing the
spot a bit from time to time, but that is expected. At least it is far
better than spamassassin which put me into swap every morning.

Keep up the excellent work!

Preben