[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MIT discovered issue with gcc

Miles, the GCC developers don't consider this to be a bug, and so I doubt that any of it will be "fixed". For example, here is a "bug" cited in the paper:


If you have a moment, read through that thread. It gets pretty testy as the developers argue over whether or not it's a bug. Eventually it was closed as "invalid', i.e. not really a true bug. It's not just GCC, either. Take a look at this series of blog posts by the LLVM team: 


Compiler developers, for better or worse, reserve the right to do whatever they want with undefined behavior, and it's up to the person writing the C code to not include undefined behavior in their own program.

Therefore, a Linux distribution has 2 choices: (1) wait for upstream patches for bugs/vulnerabilities as they are found, or (2) recompile all packages with optimizations disabled. I don't think proposal #2 would get very far...

On Tue, Nov 26, 2013 at 1:54 PM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Going back through the discussion on this thread, I'm taken by two main reactions:

- discussion of the specific class of bugs/security holes
- a lot of comments that "this is an issue for upstream"

What I haven't seen, so I'll add it to the discussion, is that this strikes me as an issue for "WAY upstream" - i.e., if gcc's optimizer is opening a class of security holes - then it's gcc that has to be fixed, after which that class of holes would go away after the next build of any impacted package.

Miles Fidelman

To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 5294EE82.8050502@meetinghouse.net" target="_blank">http://lists.debian.org/5294EE82.8050502@meetinghouse.net

Mark E. Haase
Sr. Security Software Engineer
3300 N Fairfax Drive, Suite 308, Arlington, VA 22201

"Solutions Built on Security" TM
Lunarline, Inc. is an ISO 9001 and CMMI Level 2 Certified SDVOSB Information Assurance\ Cyber Security Services Company.

Reply to: