curl-library
Re: Regarding CVE-2016-9594 (uninitialized random)
Date: Sat, 18 Feb 2017 10:39:50 +0100
On Sat, Feb 18, 2017 at 08:30:47AM +0100, Kamil Dudka wrote:
> On Friday, February 17, 2017 23:53:48 Daniel Stenberg wrote:
> > Just blindly sprinkling unions is however not automatically better (==
> > easily understood and debugged) or more foolproof code. Avoiding typecasts
> > can at times be worse than the typecasts themselves. It needs to be done
> > properly.
>
> Exactly. And the same holds for fixing defects reported by static analyzers,
> dynamic analyzers, fuzzers, etc. Such code improvements need to be done by
> programmers who really understand the code. Otherwise the probability of
> introducing new issues is higher than probability of fixing the existing ones.
Indeed. Veni, vidi, defuimus (I came, I saw, we failed).
(had an astonishingly widespread and *simple* case of damage by repair just recently)
One prefers to have these things fixed by people with direct and domain-specific knowledge.
The problem really starts where not even the main developer really understands the workings
(where outside developers need to come in and fix [completely] improper use of toolkit APIs,
sometimes even without participation of more involved developers).
Of course all these issues matter a lot less if code is
nicely tinily scoped / interfaced and self-documenting and clear -
I'd place a bet that
a sufficiently good code implementation can be suitably maintained by
*any* decent programmer (potentially even foreign-language ones).
Andreas Mohr
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-18