Mark,
comments below.
Robert C. Seacord wrote:
You are also right that the popularity of gcc is one of the reasons
we decided to publish on this. If you identify other compilers that
a) are relatively popular, b) have changed their behavior recently,
and c) silently optimize out overflow checks we will consider
publishing vulnerability notes for those compilers as well.
I have sent CERT information about two other popular optimizing
compilers which do this optimization. Those compilers may have done
it for longer than GCC, or not; I'm not sure. But, users of those
compilers are just as vulnerable.
The advisory suggests that people not use GCC.
no, it does not. it suggests they may not want to use the latest
versions. this is one possible work around. we never say "use another
compiler".
If you don't mention that other compilers also do this, you may just
prompt people to switch from GCC to some other compiler that behaves
in the same way.
The tone of the note also suggests that GCC is uniquely defective in
some way. The title of the note mentions GCC, and the overview
suggests that GCC is doing something wrong:
"Some versions of gcc may silently discard certain checks for
overflow. Applications compiled with these versions of gcc may be
vulnerable to buffer overflows."
Why not change the overview to something like:
"Some compilers (including, at least, GCC, PathScale, and xlc)
optimize away incorrectly coded checks for overflow. Applications
containing these incorrectly coded checks may be vulnerable if
compiled with these compilers."
ok, i'll review again for tone. generally we don't try to make these
notes overly broad; they are only meant to draw attention to a specific
issue.
rCs
--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC
Work: 412-268-7608
FAX: 412-268-6989
