This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: 3.2 PATCH: Ada parallel bootstrap fixes
- From: Florian Weimer <fw at deneb dot enyo dot de>
- To: dewar at gnat dot com (Robert Dewar)
- Cc: jsm28 at cam dot ac dot uk, pfeifer at dbai dot tuwien dot ac dot at, gcc at gcc dot gnu dot org, ro at TechFak dot Uni-Bielefeld dot DE
- Date: Sat, 18 May 2002 13:29:37 +0200
- Subject: Re: 3.2 PATCH: Ada parallel bootstrap fixes
- References: <20020514133418.BFF64F28D1@nile.gnat.com>
dewar@gnat.com (Robert Dewar) writes:
> I am not aware of any security issues that we (or I) consider significant.
> I know that Florian has raised some issues, but we do not consider these
> significant.
Just to make a few things clear:
The issues are equivalent to a buffer overflow in tmpfile() (which can
be exploited for setuid programs), and a file creation race condition
in tmpfile() (which affects all programs calling this interface,
setuid or not).
Nowadays, hardly any C vendor would consider such issues
insignificant, and state that the security conscious programmer should
not use these interfaces anyway (some comment on comp.lang.ada, IIRC
not from Robert).
Additional buffer overflow problems are mentioned in the following
message:
http://gcc.gnu.org/ml/gcc-patches/2001-10/msg01039.html
Shall I submit individual bug reports for them? IMHO, this doesn't
make much sense if I'm still the only persone who cares about these
problems.