From red hat bugzilla at $URL:
It was reported that C++ new operator was previously missing integer overflow / wrap around checks for its arguments. If an application compiled with gcc accepted untrusted input for memory allocation and was missing application-level checks for integer overflows of arguments, provided to the new operator, an attacker could use this flaw to cause the memory region, allocated in the end for the new operator statement, it to be smaller than truly required, possibly leading to heap-based buffer overflows.
Upstream bug report:
Proposed upstream patch for the __cxa_vec_new yet (pending upstream review):
If anything that's a security enhancement for badly written programs, not a vulnerability itself.
it's not entirely clear whether the patch changes the ABI (they mention using a new symbol). if it does, then we won't be doing a backport of it.
Seems to be fixed in 4.8.0.
Bug fixed in 4.8.0 as previous comment notes. Below is a link to redhat's bugzilla stating the impact of backporting a patch.
@base-system and @toolchain, please advise on backport. Doubtful a cleanup is possible here for compatibility reasons.
no plans to backport or clean up. gcc-4.9 is stable across the board at this point.
GLSA Vote No
Thank you all for your work
Closing no GLSA