Steven, A while back Hal Burch and I wrote an article on "Programming Language Format String Vulnerabilities" which is available here:
http://www.ddj.com/security/197002914 In the article we looked at the potential consequences of format string vulnerabilities in Perl, PHP, Java, Python, and Ruby programs. Sorry, we didn't write anything about Ada. ;^) rCs > On Mon, 4 Feb 2008, ljknews wrote: > > >>> ("%99999999s" to fill up disk or memory, anybody?), so it's marked with >>> "All" and it's not in the C-specific view, even though there's a heavy >>> concentration of format strings in C/C++. >>> >> It is marked as "All" ? >> >> What is the construct in Ada that has such a risk ? >> > > Hmmmm, I don't see any, but then again I don't know Ada. Is there no > equivalent to format strings in Ada? No library support for it? > > Your question actually highlights the point I was trying to make - in CWE, > we don't yet have a way of specifying language families, such as "any > language that directly supports format strings," or "any language with > dynamic evaluation." > > - Steve > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
