This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: US-CERT Vulnerability Note VU#162289


On Mon, Apr 7, 2008 at 2:15 PM, Robert C. Seacord <rcs@cert.org> wrote:
> Mark,
>

> >
>  ok, i'll review again for tone.  generally we don't try to make these notes
> overly broad; they are only meant to draw attention to a specific issue.

Speaking as a completely random observer who has had to respond to the
issues raised by this vulnerability:

This vulnerability report seems sensationalistic.
If I read this vulnerability, it would imply to me (and in fact,
others who have read it and emailed me about it have gotten exactly
this impression) that I could simply move my code to another compiler
and not experience this behavior.
That this is somehow specific to GCC.  After all, it just talks about GCC.
Of course, as many have pointed out, there aren't really any compilers
that *don't* perform this behavior, so I would be mistaken.
This kind of singling out of one compiler, what the entire industry
does in this situation (for better or for worse), gives people the
mistaken impression they can avoid the problem by switching products.

I've already been asked twice in my job about this report by security
related people, only to have to point out what you guys apparently do
not: That everyone does this, and moving to another compiler would not
help.
You either should be issuing reports for all these other compilers,
withdraw this one, or clarify it to note that every interesting
production compiler also performs this optimization.

To be honest, this report brought my view of CERT way down.  I hope
you guys take the time to correct it.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]