Re: VU#540517

["Robert C. Seacord" <rcs at cert dot org>]

Bruno,

Thanks for the info.  I'm sort of a newbie when it comes to gcc 
maintenance so forgive me if I'm asking stupid questions.

I've downloaded the latest (3.3.3) release and noticed that libgcc2 has 
not been patched.

I also went to the CVS log for gcc/gcc/libgcc2.c and I can see that the 
latest revision 1.168.6.1 of this file has been patched.

However, you claim that this is not the version of  __mulvsi3 etc. that 
ends up in /lib/libgcc_s.so.1?  if not, in which source file do these 
versions of the functions originate?  i performed a search of the entire 
3.3.3 distribution and only found the routines here....

The specific version I had been testing on, in which I was able to cause 
undetected integer overflows was gcc (GCC) 3.2.2 20030222 (Red Hat Linux 
3.2.2-5).  I'll try to repeat these tests on a newer compiler version ASAP.

Believe it or not, we would still consider this a security vulnerability 
even if it has already been patched since previous versions of the 
software are still in use, and applications which have been built with 
previous gcc versions may also be vulnerable.  however, i would like to 
accurately document which versions are vulnerable.  my best thinking 
right now is that 3.3.3 and previous versions are vulnerable to integer 
overflow.  could you please confirm this?

once i have had a chance to evaluate your latest patches i will comment  
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6578 unless you prefer to 
keep this discussion private for security reasons.

rCs

--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC 

Work: 412-268-7608
FAX: 412-268-5758