This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: US-CERT Vulnerability Note VU#162289
On Tue, 22 Apr 2008, Mark Mitchell wrote:
> Chad Dougherty wrote:
>
> > The vulnerability note has been significantly reworked to focus on the issue
> > of undefined behavior handling in the compiler and the fact that conforming
> > implementations are not required to warn of this condition. I've tried to
> > incorporate many of the valid concerns that were raise on this list in
> > response to the original vulnerability note.
>
> Thank you for making the update; this is a big improvement.
>
> However, I'm surprised that only GCC is listed as "vulnerable" at the bottom
> of the page. We've provided information about a lot of other compilers that
> do the same optimization. Why is the status for compilers from Microsoft,
> Intel, IBM, etc. listed as "Unknown" instead of "Vulnerable"?
>
> --
> Mark Mitchell
> CodeSourcery
> mark@codesourcery.com
> (650) 331-3385 x713
Additionally, the linked to notes for GCC are reflective of the original
innaccuracies:
http://www.kb.cert.org/vuls/id/CRDY-7DWKWM
Vendor Statement
No statement is currently available from the vendor regarding this
vulnerability.
US-CERT Addendum
Vendors and developers using the GNU C compiler should consider
downgrading their version of gcc or sticking with versions of the gcc
compiler (before version 4.1) that do not perform the offending
optimization. In the case of gcc, it should be emphasized that this is a
change of behavior in the later versions of the compiler.
Later,
Brad