User: Password:
Subscribe / Log in / New account

Re: MIT discovered issue with gcc

From:  Mark Haase <>
To:  Miles Fidelman <>
Subject:  Re: MIT discovered issue with gcc
Date:  Tue, 26 Nov 2013 14:37:18 -0500
Message-ID:  <>
Cc:  "" <>, debian-user <>
Archive-link:  Article

Miles, the GCC developers don't consider this to be a bug, and so I doubt
that any of it will be "fixed". For example, here is a "bug" cited in the

If you have a moment, read through that thread. It gets pretty testy as the
developers argue over whether or not it's a bug. Eventually it was closed
as "invalid', i.e. not really a true bug. It's not just GCC, either. Take a
look at this series of blog posts by the LLVM team:

Compiler developers, for better or worse, reserve the right to do whatever
they want with undefined behavior, and it's up to the person writing the C
code to not include undefined behavior in their own program.

Therefore, a Linux distribution has 2 choices: (1) wait for upstream
patches for bugs/vulnerabilities as they are found, or (2) recompile all
packages with optimizations disabled. I don't think proposal #2 would get
very far...

On Tue, Nov 26, 2013 at 1:54 PM, Miles Fidelman

> Going back through the discussion on this thread, I'm taken by two main
> reactions:
> - discussion of the specific class of bugs/security holes
> - a lot of comments that "this is an issue for upstream"
> What I haven't seen, so I'll add it to the discussion, is that this
> strikes me as an issue for "WAY upstream" - i.e., if gcc's optimizer is
> opening a class of security holes - then it's gcc that has to be fixed,
> after which that class of holes would go away after the next build of any
> impacted package.
> Miles Fidelman
> --
> To UNSUBSCRIBE, email to
> with a subject of "unsubscribe". Trouble? Contact
> Archive:

Mark E. Haase
Sr. Security Software Engineer
3300 N Fairfax Drive, Suite 308, Arlington, VA 22201

"Solutions Built on Security" TM
Lunarline, Inc. is an ISO 9001 and CMMI Level 2 Certified SDVOSB
Information Assurance\ Cyber Security Services Company.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds