* Re: VU#540517
2004-04-02 14:59 ` VU#540517 Robert C. Seacord
@ 2004-04-02 15:33 ` Giovanni Bajo
2004-04-02 15:55 ` VU#540517 Dave Korn
2004-04-02 17:05 ` VU#540517 Bruno Haible
2 siblings, 0 replies; 7+ messages in thread
From: Giovanni Bajo @ 2004-04-02 15:33 UTC (permalink / raw)
To: Robert C. Seacord, Bruno Haible
Cc: CERT(R) Coordination Center, eggert, drepper, drepper, glibc-sc,
gcc, gdr, Roger Sayle
Robert C. Seacord wrote:
> I've downloaded the latest (3.3.3) release and noticed that libgcc2
> has not been patched.
>
> I also went to the CVS log for gcc/gcc/libgcc2.c and I can see that
> the latest revision 1.168.6.1 of this file has been patched.
>
>[....]
>
> once i have had a chance to evaluate your latest patches i will
> comment http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6578 unless you
The patch for this bug was committed to mainline on July 6th, 2003, by Roger
Sayle. This means that it will be available starting from GCC 3.4.0. Previous
versions of GCC did not have this patch. If it turns out to be important for
security reasons, you can ask Gabriel Dos Reis (Release Manager of GCC 3.3,
CC:d in this message) for approval to backport the patch to the 3.3 serie (for
3.3.4+). Older release series (3.2 and such) are discontinued now.
Giovanni Bajo
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: VU#540517
2004-04-02 14:59 ` VU#540517 Robert C. Seacord
2004-04-02 15:33 ` VU#540517 Giovanni Bajo
@ 2004-04-02 15:55 ` Dave Korn
2004-04-02 16:03 ` VU#540517 Ian Lance Taylor
2004-04-02 17:05 ` VU#540517 Bruno Haible
2 siblings, 1 reply; 7+ messages in thread
From: Dave Korn @ 2004-04-02 15:55 UTC (permalink / raw)
To: gcc
> -----Original Message-----
> From: gcc-owner On Behalf Of Robert C. Seacord
> Sent: 02 April 2004 15:58
> once i have had a chance to evaluate your latest patches i
> will comment
> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6578 unless you prefer to
> keep this discussion private for security reasons.
You kind of blew that by posting it to a public mailing list! Anyone know
how many subscribers there are to gcc-l?
cheers,
DaveK
--
Can't think of a witty .sigline today....
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: VU#540517
2004-04-02 15:55 ` VU#540517 Dave Korn
@ 2004-04-02 16:03 ` Ian Lance Taylor
2004-04-02 16:06 ` VU#540517 Dave Korn
0 siblings, 1 reply; 7+ messages in thread
From: Ian Lance Taylor @ 2004-04-02 16:03 UTC (permalink / raw)
To: Dave Korn; +Cc: gcc
"Dave Korn" <dk@artimi.com> writes:
> You kind of blew that by posting it to a public mailing list! Anyone know
> how many subscribers there are to gcc-l?
931.
Of course some of the e-mail addresses are themselves exploders to
other lists, and of course people also read the mailing list via news
and via the web archives.
Ian
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: VU#540517
2004-04-02 16:03 ` VU#540517 Ian Lance Taylor
@ 2004-04-02 16:06 ` Dave Korn
0 siblings, 0 replies; 7+ messages in thread
From: Dave Korn @ 2004-04-02 16:06 UTC (permalink / raw)
To: 'Ian Lance Taylor'; +Cc: gcc
> -----Original Message-----
> From: Ian Lance Taylor
> Sent: 02 April 2004 17:03
> "Dave Korn" <dk@artimi.com> writes:
>
> > You kind of blew that by posting it to a public mailing
> list! Anyone know
> > how many subscribers there are to gcc-l?
>
> 931.
You're kidding! That few?! I expected an order of magnitude greater.
> Of course some of the e-mail addresses are themselves exploders to
> other lists, and of course people also read the mailing list via news
> and via the web archives.
Yeh, I guess it's impossible to even estimate how far it really spreads.
cheers,
DaveK
--
Can't think of a witty .sigline today....
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: VU#540517
2004-04-02 14:59 ` VU#540517 Robert C. Seacord
2004-04-02 15:33 ` VU#540517 Giovanni Bajo
2004-04-02 15:55 ` VU#540517 Dave Korn
@ 2004-04-02 17:05 ` Bruno Haible
2004-04-03 23:39 ` VU#540517 Richard Stallman
2 siblings, 1 reply; 7+ messages in thread
From: Bruno Haible @ 2004-04-02 17:05 UTC (permalink / raw)
To: Robert C. Seacord
Cc: CERT(R) Coordination Center, eggert, drepper, drepper, glibc-sc, gcc
Robert C. Seacord wrote:
> However, you claim that this is not the version of __mulvsi3 etc. that
> ends up in /lib/libgcc_s.so.1? if not, in which source file do these
> versions of the functions originate?
I said that on older systems the functions from libgcc2.c end up in
/lib/libc.so.6 and on newer systems they end up in /lib/libgcc_s.so.1.
> my best thinking
> right now is that 3.3.3 and previous versions are vulnerable to integer
> overflow. could you please confirm this?
All versions of gcc <= 3.3.3 have the bug we are talking about.
However, the term "vulnerable to integer overflow" is applicable to any
software programmed in C/C++ (compiled *without* -ftrapv) or Java or similar
languages. Only languages like ANSI Common Lisp, R5RS Scheme, or
implementations that use GNU gmp, are free from integer overflow
vulnerabilities.
Btw, the impact of the bug is probably zero: I bet that on a typical Linux
system, not a single program is compiled with -ftrapv. (Try googling for
"+cflags +frapv". All occurrences that you find are commented out.)
Bruno
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: VU#540517
2004-04-02 17:05 ` VU#540517 Bruno Haible
@ 2004-04-03 23:39 ` Richard Stallman
0 siblings, 0 replies; 7+ messages in thread
From: Richard Stallman @ 2004-04-03 23:39 UTC (permalink / raw)
To: Bruno Haible; +Cc: rcs, gcc, glibc-sc, drepper, cert, eggert, drepper
Btw, the impact of the bug is probably zero: I bet that on a typical Linux
system, not a single program is compiled with -ftrapv. (Try googling for
"+cflags +frapv". All occurrences that you find are commented out.)
You're probably right--but if we're having a discussion about the
GNU/Linux system, please let's not call it "Linux".
(See http://www.gnu.org/gnu/gnu-linux-faq.html for more explanation.)
^ permalink raw reply [flat|nested] 7+ messages in thread