Bug 216859 (CVE-2008-1685)

Summary:	sys-devel/gcc >=4.2.0 Optimization of integer overflow checks may lead to buffer overflows (CVE-2008-1685)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	trivial	CC:	toolchain
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.kb.cert.org/vuls/id/162289
See Also:	http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26763
Whiteboard:	~2? [ebuild]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-04-08 11:35:50 UTC

CVE-2008-1685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1685):
  gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used,
  considers the sum of a pointer and an int to be greater than or equal to the
  pointer, which might remove length testing code that was intended as a
  protection mechanism against integer overflow and buffer overflow attacks.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-04-08 11:43:08 UTC

Upstream bug:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26763

Comment 2 Mark Loeser (RETIRED) gentoo-dev

2008-04-08 15:03:26 UTC

This is not a GCC bug as many other compilers perform the same exact optimization.  This CERT announcement has caused quite a stir on the GCC mailing lists:

http://gcc.gnu.org/ml/gcc/2008-04/msg00115.html

Comment 3 SpanKY gentoo-dev

2008-04-08 15:04:39 UTC

are you sure this is relevant ?  the bug is clearly fixed in gcc-4.1.2 (which is the stable version), and i'm pretty sure gcc-4.2.3 and gcc-4.3.0 are fixed

if you look at gcc svn, the issue was fixed in svn trunk at rev 112697.  gcc-4.2 and gcc-4.3 were branched long after at that rev (117923 and 132392 respectively).

so unless the bug was later re-introduced ... and if so, that gcc PR is not relevant

Comment 4 SpanKY gentoo-dev

2008-04-12 23:04:53 UTC

solution: write correct code