This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: US-CERT Vulnerability Note VU#162289



Mark,


Comments below.
The GCC SC was aware of this CERT posting before it was public. Our feeling is that this is not a GCC bug, although it is something that we would like GCC to warn about. I talked to Ian Taylor and he agreed to work on the warning.
I agree with you that the behavior that gcc exhibits in this case is permitted by the ISO/IEC 9899:1999 C specification <http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1124.pdf> (§6.5.6p8). I believe the vulnerability is that gcc may *silently* discard the overflow checks and that this is a recent change in behavior.

Once a new version or patch is available that will warn users that this optimization is taking place, I will recommend that we change the work around from "Avoid newer versions of gcc" to "Avoid effected versions of gcc" and/or recommend that users download the patch / revision.

You are also right that the popularity of gcc is one of the reasons we decided to publish on this. If you identify other compilers that a) are relatively popular, b) have changed their behavior recently, and c) silently optimize out overflow checks we will consider publishing vulnerability notes for those compilers as well.

rCs
**

--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC


Work: 412-268-7608
FAX: 412-268-6989


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]