This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: US-CERT Vulnerability Note VU#162289
- From: David Edelsohn <dje at watson dot ibm dot com>
- To: "Robert C. Seacord" <rcs at cert dot org>
- Cc: Joe Buck <Joe dot Buck at synopsys dot COM>, mark at codesourcery dot com, gcc at gcc dot gnu dot org, Chad Dougherty <crd at cert dot org>
- Date: Mon, 07 Apr 2008 14:30:01 -0400
- Subject: Re: US-CERT Vulnerability Note VU#162289
- References: <47FA59B5.5000606@cert.org> <20080407180027.GE13317@synopsys.com> <47FA637C.3000205@cert.org>
>>>>> Robert C Seacord writes:
Robert> my thinking is that if this behavior has been in place for many years,
Robert> for example, users will have had the opportunity to discover the changed
Robert> behavior.
This explanation seems to be premised on users never moving an
application to a new system and a new compiler, nor modifying an existing
application, nor new programmers coming to the platform. It assumes that
all programmers on a platform with a compiler that performs this
optimization will have written non-conforming C code that triggers this
transformation, will have encountered an error due to the transformation,
will have debugged the problem, will have corrected the problem, never
will accidentally or intentionally write similarly non-conforming code
again, and will instruct all new and old colleagues about the
vulnerability. That is a long list of assumptions to justify the
explaination that a vulnerability announcement is not necessary for other
optimizing compilers.
David