* Inquiry about ARM gcc5 CVE-2023-4039 Patch
@ 2023-10-24 2:53 老小孩老小孩
2023-10-24 3:00 ` Andrew Pinski
0 siblings, 1 reply; 2+ messages in thread
From: 老小孩老小孩 @ 2023-10-24 2:53 UTC (permalink / raw)
To: gcc-patches
[-- Attachment #1: Type: text/plain, Size: 971 bytes --]
Dear arms,
I hope this message finds you well.
I am writing to inquire about the issue of ARM gcc5 CVE-2023-4039. According to the advisory on GitHub (https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf), this bug affects versions from 5.4.0 to the trunk as of May 15, 2023.
However, I noticed that currently, patches are only provided for gcc7 and above, as per the information available on the ARM Security Center (https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64).
Given the potential impact of this vulnerability, I am particularly interested in a patch for gcc5. Could you please provide information on whether a patch for gcc5 is available or planned? If not, could you suggest any possible workarounds or mitigation strategies for systems that are currently using gcc5?
I appreciate your attention to this matter and look forward to your response.
Best regards,
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Inquiry about ARM gcc5 CVE-2023-4039 Patch
2023-10-24 2:53 Inquiry about ARM gcc5 CVE-2023-4039 Patch 老小孩老小孩
@ 2023-10-24 3:00 ` Andrew Pinski
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Pinski @ 2023-10-24 3:00 UTC (permalink / raw)
To: 老小孩老小孩; +Cc: gcc-patches
On Mon, Oct 23, 2023 at 7:54 PM 老小孩老小孩 <arabain@126.com> wrote:
>
> Dear arms,
>
> I hope this message finds you well.
>
> I am writing to inquire about the issue of ARM gcc5 CVE-2023-4039. According to the advisory on GitHub (https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf), this bug affects versions from 5.4.0 to the trunk as of May 15, 2023.
>
> However, I noticed that currently, patches are only provided for gcc7 and above, as per the information available on the ARM Security Center (https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64).
>
> Given the potential impact of this vulnerability, I am particularly interested in a patch for gcc5. Could you please provide information on whether a patch for gcc5 is available or planned? If not, could you suggest any possible workarounds or mitigation strategies for systems that are currently using gcc5?
>
> I appreciate your attention to this matter and look forward to your response.
THIS should NEVER have been a security CVE in the first place.
This is not a security issue with any correct code that GCC will process.
GCC does not consider this a security issue according to its security policy.
See the "Security features implemented in GCC" section of
https://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=SECURITY.txt;hb=HEAD
for more information on that policy.
Thanks,
Andrew Pinski
>
> Best regards,
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-10-24 3:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-24 2:53 Inquiry about ARM gcc5 CVE-2023-4039 Patch 老小孩老小孩
2023-10-24 3:00 ` Andrew Pinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).