Summary: | sys-devel/gcc =4.3.0 Missing cld instruction can lead to memory corruption (CVE-2008-1367) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | trivial | CC: | hoffie, kernel, toolchain |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://thread.gmane.org/gmane.linux.kernel/650180 | ||
Whiteboard: | ~2 [ebuild?] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-03-18 02:23:00 UTC
Toolchain herd, gcc 4.3 is in Portage since today. I did not check if it exposes this bug or not, can you help here? According to a mailing list discussion [1] this is not a gcc bug, but a behavior change which perfectly matches the specifications. The problem is, that the Linux kernel (others too) did not match these specs... A patch to the kernel was already proposed [2] and committed [3] ten days ago, so now the question is, whether patching gcc is wanted or whether gcc-4.3 should simply require fixed kernels. CC'ing kernel herd for this reason. [1] http://thread.gmane.org/gmane.linux.kernel/650180 [2] http://lwn.net/Articles/272203/ [3] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e40cd10ccff3d9fbffd57b93780bee4b7b9bff51 i have no plans to modify gcc-4.3.0 behavior in anyway ... the realistic impact here is small as the number of applications this breaks is small (then again, for those who it does impact, i imagine they'll be quite annoyed) fix the kernel I have branched off bug 213811 for the Kernel patch, thanks for the notice. I would also think people using ~arch gcc and not keeping their kernel updated is not a setup we want to support and by the time gcc 4.3 hits stable, our kernels should be updated. while true, gcc-4.3.0 isnt even ~arch yet ;) so our kernel guys have time to get out a fixed gentoo-sources patchset |