I think that is not completely right.
- As the VM is written in C or C++ and uses some native libraries
it always possible that there is a buffer overflow error in that
part.
It's just not possible to create new buffer overflow errors wihout
using native code, but code you write might induce a overflow error
in the undelying vm.
- The apache problem report contains two possible problems:
- Excution of arbitrary commands
With java it's much harder to use a overflow error to do
this, as you have hardly control about the memory. (I'm not
shure enough to say that is impossible to exploit it)
- Denial of service
This can always happen in one or the other way. (Find a bug in
tomcat that produces stacktraces or part of tomcat that exposes
a vm error (sometimes it's quite easy to crash vm's), hammer the
site with requests that produce this error.)
> -----Urspr�ngliche Nachricht-----
> Von: Tim Funk [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 18. Juli 2002 22:10
> An: Tomcat Users List
> Betreff: Re: Is Tomcat affected by the Apache HTTP Server "chunked"
> encodingv ulnerability?
>
>
> No. Java applications cannot be victim to buffer overflow errors.
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
