Miles, the GCC developers don't consider this to be a bug, and so I doubt that any of it will be "fixed". For example, here is a "bug" cited in the paper:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30475 If you have a moment, read through that thread. It gets pretty testy as the developers argue over whether or not it's a bug. Eventually it was closed as "invalid', i.e. not really a true bug. It's not just GCC, either. Take a look at this series of blog posts by the LLVM team: http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html Compiler developers, for better or worse, reserve the right to do whatever they want with undefined behavior, and it's up to the person writing the C code to not include undefined behavior in their own program. Therefore, a Linux distribution has 2 choices: (1) wait for upstream patches for bugs/vulnerabilities as they are found, or (2) recompile all packages with optimizations disabled. I don't think proposal #2 would get very far... On Tue, Nov 26, 2013 at 1:54 PM, Miles Fidelman <mfidel...@meetinghouse.net>wrote: > Going back through the discussion on this thread, I'm taken by two main > reactions: > > - discussion of the specific class of bugs/security holes > - a lot of comments that "this is an issue for upstream" > > What I haven't seen, so I'll add it to the discussion, is that this > strikes me as an issue for "WAY upstream" - i.e., if gcc's optimizer is > opening a class of security holes - then it's gcc that has to be fixed, > after which that class of holes would go away after the next build of any > impacted package. > > Miles Fidelman > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/5294ee82.8050...@meetinghouse.net > > -- Mark E. Haase CISSP, CEH Sr. Security Software Engineer www.lunarline.com 3300 N Fairfax Drive, Suite 308, Arlington, VA 22201 202-815-0201 "Solutions Built on Security" TM Lunarline, Inc. is an ISO 9001 and CMMI Level 2 Certified SDVOSB Information Assurance\ Cyber Security Services Company.
