CVE-2008-1367 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1367): gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.
Toolchain herd, gcc 4.3 is in Portage since today. I did not check if it exposes this bug or not, can you help here?
According to a mailing list discussion [1] this is not a gcc bug, but a behavior change which perfectly matches the specifications. The problem is, that the Linux kernel (others too) did not match these specs... A patch to the kernel was already proposed [2] and committed [3] ten days ago, so now the question is, whether patching gcc is wanted or whether gcc-4.3 should simply require fixed kernels. CC'ing kernel herd for this reason. [1] http://thread.gmane.org/gmane.linux.kernel/650180 [2] http://lwn.net/Articles/272203/ [3] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
i have no plans to modify gcc-4.3.0 behavior in anyway ... the realistic impact here is small as the number of applications this breaks is small (then again, for those who it does impact, i imagine they'll be quite annoyed) fix the kernel
I have branched off bug 213811 for the Kernel patch, thanks for the notice. I would also think people using ~arch gcc and not keeping their kernel updated is not a setup we want to support and by the time gcc 4.3 hits stable, our kernels should be updated.
while true, gcc-4.3.0 isnt even ~arch yet ;) so our kernel guys have time to get out a fixed gentoo-sources patchset