Thanks Klaus and Jonathan for detailed clarification. My application uses c++filt but it should not be affected as per clarification. I'm working on moving to a more recent version of gcc but that may take some time. Just out of curiosity wanted to know whether gcc mainitains its vulnerability report somewhere which is more updated and correct(which can be referred for future)? On Wed, Oct 23, 2024 at 3:20 PM Jonathan Wakely <jwakely.gcc@xxxxxxxxx> wrote: > > > On Wed, 23 Oct 2024 at 09:21, Vivek Anand via Gcc-help < > gcc-help@xxxxxxxxxxx> wrote: > >> Hi Team, >> >> I'm using gcc-7.5.0 with binutils-2.40. >> As per https://nvd.nist.gov/vuln/detail/CVE-2021-37322, GCC-7.5.0 seems >> to >> be affected by CVE-2021-37322. >> However, The patch suggested as part of >> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188, is already there in >> GCC-7.5.0 tarball. >> > > GCC 7.1.0 contains these patches: > https://gcc.gnu.org/g:e1fe3c698f5400139a4a5bec73c4600da8858356 > https://gcc.gnu.org/g:bfbc839a0ba7d31399728c5b73e9a1cd6cefc9ae > https://gcc.gnu.org/g:59dad006fa31fe3355defcd6b38ab70fd7d2737f > https://gcc.gnu.org/g:916268f1f2e6806f794bba7229d29f9296b2b68d > Those appear to be the fixes for the issue. So the NIST page is wrong. It > also lists Binutils 2.31 as vulnerable, which is wrong according to the > Binutils maintainer who verified that it was fixed in 2.27 and later. > > The problem occurs when using the c++filt program, which is not shipped as > part of GCC anyway. It's built from code which is shared between GCC and > Binutils, but the actual c++filt program is shipped as part of binutils, > not GCC. > > >> >> So, it's a bit confusing whether GCC-7.5.0 is affected by CVE-2021-37322 >> or >> not. >> >> Can you please help with clarification of the same? >> >> Thanks, >> Vivek >> >
