[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#710830: gcc-4.7: CVE-2002-2439

Control: severity -1 important
Control: tags -1 - patch
Control: tags -1 + moreinfo

Am 02.06.2013 21:47, schrieb Michael Gilbert:
> Package: gcc-4.7
> Severity: serious
> Version: 4.7.0-1
> Tags: security, patch
> 
> Hi,
> An integer overflow issue was discovered for gcc-4.7:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439
> 
> This is already fixed in gcc-4.8.
> 
> These seem to be the two relevant patches that fix the problem:
> http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01416.html
> http://gcc.gnu.org/ml/gcc-patches/2012-06/msg01689.html
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2439
>     http://security-tracker.debian.org/tracker/CVE-2002-2439
> Please adjust the affected versions in the BTS as needed.

this is #402694. It is disappointing that the security did become a management
only team.  Note that this is an issue, where even a member of the security team
is involved upstream, doesn't comment, doesn't backport the patch upstream,
doesn't do that much with this issue.  No, it can't be severity serious with
this kind of attitude.

So please backport this one first upstream, test it, then come back, then I'll
pull it from the 4.7 branch.

Thanks, Matthias
Reply to: