Summary: | sys-devel/gcc: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | whissi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/05/05/3 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=641506 | ||
Whiteboard: | A2 [cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-05-06 08:51:50 UTC
Its good to know about these and that a fix is coming down the pipeline, but you really shouldn't expect much security from gcc or binutils themselves. Now the binaries the produce is a different story. *** Bug 599802 has been marked as a duplicate of this bug. *** https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 - CVE-2016-2226 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 - CVE-2016-4487 and CVE-2016-4488 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 - CVE-2016-4489 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 - CVE-2016-4490 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 - CVE-2016-4491 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 - CVE-2016-4492 UPDATE: All CVEs reported FIXED by upstream > > 1) Exploitable Buffer Overflow (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later -> all unmasked versions in Gentoo fixed > > 2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later > > 3) Invalid Write due to Integer Overflow (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later > > 4) Write Access Violation (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 Fixed upstream in 4.9.4, 5.4, 6.2 and later, 7.1 and later > > 5) Various Stack Corruptions (Patch under Review) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 > https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00105 Fixed upstream in 7.1 and later > > 6) Write Access Violation (Patch under Review) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 > https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00223 Fixed upstream in 7.1 and later Splitting out 5 and 6 into a separate bug so we can proceed here.
> >
> > 1) Exploitable Buffer Overflow (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
>
> Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later
> -> all unmasked versions in Gentoo fixed
>
> >
> > 2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481
>
> Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later
>
> >
> > 3) Invalid Write due to Integer Overflow (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492
>
> Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later
>
> >
> > 4) Write Access Violation (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498
>
> Fixed upstream in 4.9.4, 5.4, 6.2 and later, 7.1 and later
>
All unmasked versions are fixed. No further cleanup (toolchain package).
Please proceed. Toolchain out.
|