On Wed, 23 Oct 2024 at 09:21, Vivek Anand via Gcc-help <gcc-help@xxxxxxxxxxx> wrote: > Hi Team, > > I'm using gcc-7.5.0 with binutils-2.40. > As per https://nvd.nist.gov/vuln/detail/CVE-2021-37322, GCC-7.5.0 seems to > be affected by CVE-2021-37322. > However, The patch suggested as part of > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188, is already there in > GCC-7.5.0 tarball. > GCC 7.1.0 contains these patches: https://gcc.gnu.org/g:e1fe3c698f5400139a4a5bec73c4600da8858356 https://gcc.gnu.org/g:bfbc839a0ba7d31399728c5b73e9a1cd6cefc9ae https://gcc.gnu.org/g:59dad006fa31fe3355defcd6b38ab70fd7d2737f https://gcc.gnu.org/g:916268f1f2e6806f794bba7229d29f9296b2b68d Those appear to be the fixes for the issue. So the NIST page is wrong. It also lists Binutils 2.31 as vulnerable, which is wrong according to the Binutils maintainer who verified that it was fixed in 2.27 and later. The problem occurs when using the c++filt program, which is not shipped as part of GCC anyway. It's built from code which is shared between GCC and Binutils, but the actual c++filt program is shipped as part of binutils, not GCC. > > So, it's a bit confusing whether GCC-7.5.0 is affected by CVE-2021-37322 or > not. > > Can you please help with clarification of the same? > > Thanks, > Vivek >
