This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: US-CERT Vulnerability Note VU#162289

On Tue, 22 Apr 2008, Mark Mitchell wrote:

> Chad Dougherty wrote:
> 
> > The vulnerability note has been significantly reworked to focus on the issue
> > of undefined behavior handling in the compiler and the fact that conforming
> > implementations are not required to warn of this condition. I've tried to
> > incorporate many of the valid concerns that were raise on this list in
> > response to the original vulnerability note.
> 
> Thank you for making the update; this is a big improvement.
> 
> However, I'm surprised that only GCC is listed as "vulnerable" at the bottom
> of the page.  We've provided information about a lot of other compilers that
> do the same optimization.  Why is the status for compilers from Microsoft,
> Intel, IBM, etc. listed as "Unknown" instead of "Vulnerable"?
> 
> -- 
> Mark Mitchell
> CodeSourcery
> mark@codesourcery.com
> (650) 331-3385 x713

Additionally, the linked to notes for GCC are reflective of the original 
innaccuracies: 

http://www.kb.cert.org/vuls/id/CRDY-7DWKWM

Vendor Statement
No statement is currently available from the vendor regarding this 
vulnerability.

US-CERT Addendum
Vendors and developers using the GNU C compiler should consider 
downgrading their version of gcc or sticking with versions of the gcc 
compiler (before version 4.1) that do not perform the offending 
optimization. In the case of gcc, it should be emphasized that this is a 
change of behavior in the later versions of the compiler.

Later,
Brad
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]