This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: VU#540517
- From: "Robert C. Seacord" <rcs at cert dot org>
- To: Bruno Haible <bruno at clisp dot org>
- Cc: "CERT(R) Coordination Center" <cert at cert dot org>, eggert at twinsun dot com, drepper at redhat dot com, drepper at gnu dot org, glibc-sc at gnu dot org, gcc at gcc dot gnu dot org
- Date: Fri, 02 Apr 2004 09:57:47 -0500
- Subject: Re: VU#540517
- References: <200404012003.i31K3lU1019505@starsky.blue.cert.org> <200404021352.03482.bruno@clisp.org>
Bruno,
Thanks for the info. I'm sort of a newbie when it comes to gcc
maintenance so forgive me if I'm asking stupid questions.
I've downloaded the latest (3.3.3) release and noticed that libgcc2 has
not been patched.
I also went to the CVS log for gcc/gcc/libgcc2.c and I can see that the
latest revision 1.168.6.1 of this file has been patched.
However, you claim that this is not the version of __mulvsi3 etc. that
ends up in /lib/libgcc_s.so.1? if not, in which source file do these
versions of the functions originate? i performed a search of the entire
3.3.3 distribution and only found the routines here....
The specific version I had been testing on, in which I was able to cause
undetected integer overflows was gcc (GCC) 3.2.2 20030222 (Red Hat Linux
3.2.2-5). I'll try to repeat these tests on a newer compiler version ASAP.
Believe it or not, we would still consider this a security vulnerability
even if it has already been patched since previous versions of the
software are still in use, and applications which have been built with
previous gcc versions may also be vulnerable. however, i would like to
accurately document which versions are vulnerable. my best thinking
right now is that 3.3.3 and previous versions are vulnerable to integer
overflow. could you please confirm this?
once i have had a chance to evaluate your latest patches i will comment
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6578 unless you prefer to
keep this discussion private for security reasons.
rCs
--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC
Work: 412-268-7608
FAX: 412-268-5758