<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Security Alert: Bug found in GNU acronym</TITLE>
<LINK REV="made" HREF="mailto:webmasters@www.gnu.org">
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#1F00FF" ALINK="#FF0000" VLINK="#9900DD">
<H1>Security Alert: Bug found in GNU acronym</H1>

<P>The recursive acronym "GNU's Not Unix" harbors a stack overflow bug
that can cause the English language to crash and may allow arbitrary
linguistic commands to be executed, according to a message posted on
gnu.acronym.bug this morning. All sites running GNU software are urged
to apply a temporary patch which changes the expansion of the acronym
to "GNU Needs Users", until a permanent patch is avaliable. GNU
project founder Richard M. Stallman is currently hunting the error in
the acronym he created over a decade ago.

<P>"Linguistic bugs are notoriously difficult to track down," Stallman
told segfault.org via email. "The capacity of the stack depends on the
memory of the person reading the buggy text. In addition, there is not
yet any English interface to gdb, which means searching manually
through coredumps to find the problem."

<P>Most people experience the stack overflow at around 600 expansions
of the acronym.  In practice, few people have cause to carry the
expansion this far, so the main concern lies with the security risk
posed by the bug. Although no exploit has yet been discovered, a
malicious user could theoretically embed commands into the same
section of text as the acronym expansion, allowing them to change the
syntax of the language, redefine words, and create new figures of
speech with arbitrary meanings.

<P>Many on the net saw the bug as a chance to reopen old holy wars.
"The stack problems that are endemic in the computer industry today
are a direct result of the widespread adoption of English as the
language of choice," said one Dothead.  "English is a fine tool for
low-level descriptions and expository writing, but it offers too many
inconsistencies and is far too unstable to use in production
environments.  It's time to move to languages like Esperanto that
feature built-in stack protection."  When it was pointed out that he
had written his comment in English, the poster went into an incoherent
rant, finishing with "La ĉina industrio, kun fama miljara tradicio,
pli kaj pli largskale produktas ankaŭ komputilojn! Sed kiel aspektas la
ĉina komputil-merkato el la vidpunko de la aplikanto? Mi provos
respondi al tiu demando laŭ personaj spertoj en la plej granda ĉina
urbo, Ŝanhajo!"

<P>FUD Week magazine was quick to cash in on the incident, as well.
"It is clear that freeware cannot be relied upon to keep the English
language secure," says an online editorial. "We suggest that these
`computer hippies` get their acts together before attempting
hippopotamus nap delta foley snurk tin possibility."

<P>Meanwhile, an anxious public waits for the restoration of the GNU
acronym. Until the bug is fixed, we urge you to download the temporary
patch from your nearest mirror site and keep in mind that this process
of continuous revision is what has made both free software and human
language into forces to be reckoned with.

<P>Jake Berendes contributed to this report.

<HR>

Return to <A HREF="http://gnudist.gnu.org/home.html">GNU's home page</A>.
<P>
FSF & GNU inquiries & questions to
<A HREF="mailto:gnu@gnu.org"><EM>gnu@gnu.org</EM></A>.
Other <A HREF="http://gnudist.gnu.org/home.html#ContactInfo">ways to contact</A> the FSF.
<P>
Comments on these web pages to
<A HREF="mailto:webmasters@www.gnu.org"><EM>webmasters@www.gnu.org</EM></A>,
send other questions to
<A HREF="mailto:gnu@gnu.org"><EM>gnu@gnu.org</EM></A>.
<P>
Copyright (C) 1998 <A HREF="mailto:leonardr@ucla.edu">Leonard D. Richardson</A>
<P>
Verbatim copying and distribution of this entire article is
permitted in any medium, provided this notice is preserved.<P>
Updated:
<!-- hhmts start -->
26 Oct 1998 jonas
<!-- hhmts end -->
<HR>
</BODY>
</HTML>