Date: Mon, 7 Apr 2008 23:00:36 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: gcc 4.2 optimizations and integer overflow checks On Mon, Apr 07, 2008 at 06:39:33PM +0200, Nico Golde wrote: > * Steven M. Christey <coley@...us.mitre.org> [2008-04-07 18:24]: > > While an unusual bug, we decided to assign a CVE for it. ... > > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1685 > > Reference: CERT-VN:VU#162289 > > Reference: URL:http://www.kb.cert.org/vuls/id/162289 > [...] > Please add http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26763 > to the references. FWIW, there are also actual gcc bugs that cause miscompiles - and they may potentially result in security vulnerabilities - yet I am not sure if "proactively" treating the gcc bugs themselves as security issues is appropriate. This is interesting - here we have a gcc non-bug that deserves a CERT Vulnerability Note and a CVE number (which I agree with), yet actual bugs might not deserve such treatment. Here's an example of an actual bug - http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26587 - this one caused my Blowfish implementation to be miscompiled, possibly making the cipher weaker (in case the misbehavior went unnoticed). By the way, I was surprised by how quickly this one was confirmed (16 minutes) and fixed (less than a day). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.