at least sys-devel/gcc-4.{3,4} are affected by gcc bug #41433 when mudflap is enabled: "mudflap accepts options via $MUDFLAP_OPTIONS even when running setuid. -viol-gdb option invokes programs upon error detection which is bad. Note that NULL ptr derefs which are unexploitable in userspace programs, then become exploitable. Fix by either ignoring this variable for setuid's (other options are bad too; what worth a mudflap if it can be disabled for setuids which it should protect) or some other magic. " References: http://c-skills.blogspot.com/2009/09/gcc-fmudflap.html http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41433 Reproducible: Always Steps to Reproduce:
Created attachment 245389 [details] gcc-4.4.x: fix $MUDFLAP_OPTIONS environment handling, based on gcc bug #41433
all gcc-4.x versions before 4.5 have this issue
Added to 4.4.4 patchset. Do we need any earlier versions? http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/gcc/4.4.4/gentoo/20_all_mudflap-setuid-env.patch?rev=1.1&view=markup
yes, but i would just queue them up in the patch dir rather than doing revbumps on them all
Released in 4.4.4-r2. Still have to do previous versions.
older versions are supported as a courtesy. no need to go through the full release effort.
