> On Mar 12, 2025, at 11:57 AM, Paul Smith <psm...@gnu.org> wrote:
>
> On Wed, 2025-03-12 at 15:05 +0000, Yao Shuangjie wrote:
>> We are cybersecurity researchers from the Hong Kong University of
>> Science and Technology. We found several security violations of
>> undefined behaviors in GNU make 4.4.1 using our novel symbolic
>> execution technique several months ago. The details are shown below.
>
> Thanks for your work.
>
> However, I don't think you're correct in your statement above.
>
> In C, unsigned integer overflow is NOT undefined behavior; in fact it's
> very well defined and specified by the standard and has been
> essentially forever.
I agree. In *some* cases an unsigned integer overflow is unanticipated,
and can then lead to a security problem, but the operation itself is
well-defined.
> This is also not a security violation: ...
I don't see the security violation either. Generally GNU make doesn't
have elevated privileges in the first place. If one is identified I'd like to
know!
--- David A. Wheeler
