This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug other/77409] CVE-2016-4973 Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality
- From: "pinskia at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Tue, 30 Aug 2016 02:04:54 +0000
- Subject: [Bug other/77409] CVE-2016-4973 Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality
- Auto-submitted: auto-generated
- References: <bug-77409-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77409
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #10 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
https://bugzilla.redhat.com/show_bug.cgi?id=1324759#c6 and the others from
Jakub Jelinek on why this is not a GCC bug.
And why you can't do what you want GCC to change it to do.
> But, if you tweak this upstream, then you break all the users that are installing gcc themselves.
THis is why any change to install them as normal headers is wrong even for
targets where you think you should install them.
So again closing this as invalid. This is a security bug in the applications
thinking they get _FORTIFY_SOURCE support for mingw and cygwin, etc but they
really need to include ssp library headers instead. Not a GCC bug for someone
including the wrong header :).