Re: US-CERT Vulnerability Note VU#162289
Joe Buck wrote: Thanks. I hope that you will correct the advisory promptly to avoid any implication that one should switch from GCC to a different compiler based on this issue, since we've already established that most of GCC's competitors perform similar optimizations under some cicumstances (even if the particular example that appears in the CERT report is not affected, other, similar examples will be, particularly if they appear in a loop). Both CERT and GCC have their reputations to consider here, and I think that this advisory has damaged the reputations of *both*. The vulnerability note has been significantly reworked to focus on the issue of undefined behavior handling in the compiler and the fact that conforming implementations are not required to warn of this condition. I've tried to incorporate many of the valid concerns that were raise on this list in response to the original vulnerability note. The advisory should emphasize the solution of auditing buffer overflow checks to make sure that they are correct C, and should help people write such checks correctly. The vulnerability note itself essentially punts this issue to the corresponding documents in our Secure Coding standard. -Chad
Re: US-CERT Vulnerability Note VU#162289
Mark Mitchell wrote: However, I'm surprised that only GCC is listed as "vulnerable" at the bottom of the page. We've provided information about a lot of other compilers that do the same optimization. Why is the status for compilers from Microsoft, Intel, IBM, etc. listed as "Unknown" instead of "Vulnerable"? The vendors listed in that section are the ones we've contacted asking for a statement. The note gets updated as we get information from them. We won't include information about other vendors without either a statement from them or independent verification of their affectedness. -Chad
Re: US-CERT Vulnerability Note VU#162289
Brad Roberts wrote: Additionally, the linked to notes for GCC are reflective of the original innaccuracies: http://www.kb.cert.org/vuls/id/CRDY-7DWKWM Vendor Statement No statement is currently available from the vendor regarding this vulnerability. US-CERT Addendum Vendors and developers using the GNU C compiler should consider downgrading their version of gcc or sticking with versions of the gcc compiler (before version 4.1) that do not perform the offending optimization. In the case of gcc, it should be emphasized that this is a change of behavior in the later versions of the compiler. Why is this inaccurate? The objections to the original version of the note on this list were that it appeared to advocate dumping gcc in favor of another compiler that may do the same optimization. This addendum merely suggest considering using an older version of gcc. -Chad
Re: US-CERT Vulnerability Note VU#162289
David Miller wrote: How, may I ask, did that policy apply to the GCC "vendor" when this all got started? Our own testing of multiple versions of gcc on multiple platforms and subsequent confirmation by Mark that it was intentional, desired behavior. This all occurred prior to even the initial version of the note. -Chad
Re: US-CERT Vulnerability Note VU#162289
David Miller wrote: CERT is asking these vendors for "approval" for the text they will add mentioning anything about their product. That's the bit I'm talking about. They are getting protection and consideration that was not really afforded to GCC. CERT treated GCC differently. This is not true. The "Statement" section of the vendor status is for official, usually verbatim, statements from the vendor. The "Addendum" section is reserved for our own comments, even those that may contradict the vendor's response if we have reason to do so. You'll note that the suggestion about _considering_ using older versions of gcc appears in the addendum. -Chad
