This is the mail archive of the
mailing list for the GCC project.
Re: US-CERT Vulnerability Note VU#162289
- From: "Robert C. Seacord" <rcs at cert dot org>
- To: mark at codesourcery dot com
- Cc: gcc at gcc dot gnu dot org, Chad Dougherty <crd at cert dot org>
- Date: Mon, 07 Apr 2008 13:28:21 -0400
- Subject: Re: US-CERT Vulnerability Note VU#162289
The GCC SC was aware of this CERT posting before it was public. Our
feeling is that this is not a GCC bug, although it is something that
we would like GCC to warn about. I talked to Ian Taylor and he agreed
to work on the warning.
I agree with you that the behavior that gcc exhibits in this case is
permitted by the ISO/IEC 9899:1999 C specification
(§6.5.6p8). I believe the vulnerability is that gcc may *silently*
discard the overflow checks and that this is a recent change in behavior.
Once a new version or patch is available that will warn users that this
optimization is taking place, I will recommend that we change the work
around from "Avoid newer versions of gcc" to "Avoid effected versions of
gcc" and/or recommend that users download the patch / revision.
You are also right that the popularity of gcc is one of the reasons we
decided to publish on this. If you identify other compilers that a) are
relatively popular, b) have changed their behavior recently, and c)
silently optimize out overflow checks we will consider publishing
vulnerability notes for those compilers as well.
Robert C. Seacord
Senior Vulnerability Analyst