Re: MIT discovered issue with gcc

[Miles Fidelman <mfidelman@meetinghouse.net>]

Wow... that really is kind of testy. And... point taken.

Mark Haase wrote:
> Miles, the GCC developers don't consider this to be a bug, and so I 
> doubt that any of it will be "fixed". For example, here is a "bug" 
> cited in the paper:
>
> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30475
>
> If you have a moment, read through that thread. It gets pretty testy 
> as the developers argue over whether or not it's a bug. Eventually it 
> was closed as "invalid', i.e. not really a true bug. It's not just 
> GCC, either. Take a look at this series of blog posts by the LLVM team:
>
> http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html
>
> Compiler developers, for better or worse, reserve the right to do 
> whatever they want with undefined behavior, and it's up to the person 
> writing the C code to not include undefined behavior in their own program.
>
> Therefore, a Linux distribution has 2 choices: (1) wait for upstream 
> patches for bugs/vulnerabilities as they are found, or (2) recompile 
> all packages with optimizations disabled. I don't think proposal #2 
> would get very far...
>
>
>
> On Tue, Nov 26, 2013 at 1:54 PM, Miles Fidelman 
> <mfidelman@meetinghouse.net <mailto:mfidelman@meetinghouse.net>> wrote:
>
>     Going back through the discussion on this thread, I'm taken by two
>     main reactions:
>
>     - discussion of the specific class of bugs/security holes
>     - a lot of comments that "this is an issue for upstream"
>
>     What I haven't seen, so I'll add it to the discussion, is that
>     this strikes me as an issue for "WAY upstream" - i.e., if gcc's
>     optimizer is opening a class of security holes - then it's gcc
>     that has to be fixed, after which that class of holes would go
>     away after the next build of any impacted package.
>
>     Miles Fidelman
>
>
>
>     -- 
>     To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>     <mailto:debian-security-REQUEST@lists.debian.org>
>     with a subject of "unsubscribe". Trouble? Contact
>     listmaster@lists.debian.org <mailto:listmaster@lists.debian.org>
>     Archive: [🔎] 5294EE82.8050502@meetinghouse.net">http://lists.debian.org/[🔎] 5294EE82.8050502@meetinghouse.net
>
>
>
>
> --
> Mark E. Haase
> CISSP, CEH
> Sr. Security Software Engineer
> www.lunarline.com <http://www.lunarline.com>
> 3300 N Fairfax Drive, Suite 308, Arlington, VA 22201
> 202-815-0201
>
> "Solutions Built on Security" TM
> Lunarline, Inc. is an ISO 9001 and CMMI Level 2 Certified SDVOSB 
> Information Assurance\ Cyber Security Services Company.