Summary: | <sys-devel/gcc-4.8.0: Integer overflow can occur during the computation of the memory region size for new[] operator (CVE-2002-2439) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gcc.gnu.org/PR19351 | ||
See Also: |
https://bugzilla.redhat.com/show_bug.cgi?id=853906 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351 |
||
Whiteboard: | A3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-09-05 05:17:56 UTC
If anything that's a security enhancement for badly written programs, not a vulnerability itself. it's not entirely clear whether the patch changes the ABI (they mention using a new symbol). if it does, then we won't be doing a backport of it. Seems to be fixed in 4.8.0. Bug fixed in 4.8.0 as previous comment notes. Below is a link to redhat's bugzilla stating the impact of backporting a patch. @base-system and @toolchain, please advise on backport. Doubtful a cleanup is possible here for compatibility reasons. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439 no plans to backport or clean up. gcc-4.9 is stable across the board at this point. GLSA Vote No Thank you all for your work Closing no GLSA |