Perl has a potential buffer overflow problem. So does C, and in my opinion, any language based on C.
Those are two different problems! C, on the language level, doesn't have a buffer overflow problem - it doesn't have anything to overrun. However, given the standard libraries, it's very easy to create programs written in C that have a buffer overflow problem.

In Perl, it's quite the opposite. It's very hard to write a program in Perl that has a buffer overflow problem - because Perl hides all the details that can lead to a buffer overflow problem for you. However, Perl needs perl to be able to run. And perl, being written in C, can suffer from a buffer overflow problem.

My major complaint with the line of thinking in this article -- that security should be built in at a fairly high level (and Perl is a high level language) -- is that it, by inference, absolves the O/S of responsibility for not permitting buffer overflows to cause problems. My experience on various flavors of MVS and VM was that any attempt by an application program to access memory outside of its data allocation resulted in immediate termination; data could not be executed as "code" nor could somebody else's memory be accessed.
Careful here. With languages like Perl, you cannot shift all the responsibility to the OS. Remember that for the OS, the entire Perl program is 'data'. Nothing of it is 'code', the only 'code' the OS knows is perl. With a language that runs on a VM, you can go wrong twice. You can have a buffer overflow in the implementation of the VM (as in the recently discovered bug) - here the OS could have a role in preventing exploits. However, the architecture of the VM itself may allow a buffer overflow, making it possible for an attacker to execute arbitrary code within the VM. It won't violate any rules the OS is upholding, but it can be as damaging to your system.
Perl --((8:>*

In reply to Re^2: eWeek article: Is a New Vulnerability the Tip of the Perl Iceberg? by Perl Mouse
in thread eWeek article: Is a New Vulnerability the Tip of the Perl Iceberg? by marto

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.