No it's not. Don't think many experienced sysadmins would feel happy
relying on the "privileged daemon compiled with gcc-4.3" as a sound
foundation for security.
Securing systems means multiple layers and not leaving apparently small
flaws and leaving a single point of critical failure. Then when defense 1
is broken, the next has to be breached to, which buys time when exploits
become known, or some script kiddie has started an attack and found a hole
in some service you offer.
If you're running a web-server for example, you don't give a shell out,
yet your defense only has to fail once, for some web app to permit code to
be run. If you run a host with multiple users, with shell access then
flipping a register which is meant to be cleared, might cause some
instability and permit an unintentional DoS.
It doesn't matter, that an exploit is not clear, the fact that it is not
absolutely unexploitable, argues for patching the kernel as has been done.
That we agreed on. My post was not complaining against the kernel, nor
gcc, but argueing the futileness of patching gcc-4.3 to revert to non-ABI
Your assumption that gcc-4.3 or another compiler cannot be built by a
user is wrong, so the logic statement "gcc = 4.3 & kernel < 2.6.25"
should actually be the simpler "unpatched kernel < 2.6.25". You may feel,
that is too pessimistic, but I'm afraid in the real world root does make
mistakes, so relying on need for root privilege to install the daemon is
If the kernel is compiled, with an older gcc, then it may very well be
clearing the DF bit, for the kernel accidentally, and I suspect that the
reason the kernel wasn't clearing it, was because gcc already did it.
That's creditting the kernel developers for actually testing conformance
to the ABI.
As for older kernels, getting compiled with unsupported compilers,
distro's have done that frequently in the past and also hobbyist types,
may try latest gcc and see if it works. A subtle issue like this is
exactly the type of thing that falls between the cracks. I agree that
folk shouldn't do it, but in the real world ppl do build "unsupported"
combinations and as FOSS doesn't come with a legal warranty, your users
aren't seeing much difference between that and the situation with the
correct software versions.
You seem to agree that reverting gcc-4.3 and patching the kernel is the
correct action, and furthermore that "deployment" may be the weak area, so
why be so condescending?