On Wed, 23 Oct 2024 at 12:13, Vivek Anand <vivekanand.devworks@xxxxxxxxx> wrote: > Thanks Klaus and Jonathan for detailed clarification. > My application uses c++filt but it should not be affected as per > clarification. > I'm working on moving to a more recent version of gcc but that may take > some time. > > Just out of curiosity wanted to know whether gcc mainitains its > vulnerability report somewhere which is more updated and correct(which can > be referred for future)? > No, only what you see in the bugzilla database. > > On Wed, Oct 23, 2024 at 3:20 PM Jonathan Wakely <jwakely.gcc@xxxxxxxxx> > wrote: > >> >> >> On Wed, 23 Oct 2024 at 09:21, Vivek Anand via Gcc-help < >> gcc-help@xxxxxxxxxxx> wrote: >> >>> Hi Team, >>> >>> I'm using gcc-7.5.0 with binutils-2.40. >>> As per https://nvd.nist.gov/vuln/detail/CVE-2021-37322, GCC-7.5.0 seems >>> to >>> be affected by CVE-2021-37322. >>> However, The patch suggested as part of >>> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188, is already there in >>> GCC-7.5.0 tarball. >>> >> >> GCC 7.1.0 contains these patches: >> https://gcc.gnu.org/g:e1fe3c698f5400139a4a5bec73c4600da8858356 >> https://gcc.gnu.org/g:bfbc839a0ba7d31399728c5b73e9a1cd6cefc9ae >> https://gcc.gnu.org/g:59dad006fa31fe3355defcd6b38ab70fd7d2737f >> https://gcc.gnu.org/g:916268f1f2e6806f794bba7229d29f9296b2b68d >> Those appear to be the fixes for the issue. So the NIST page is wrong. It >> also lists Binutils 2.31 as vulnerable, which is wrong according to the >> Binutils maintainer who verified that it was fixed in 2.27 and later. >> >> The problem occurs when using the c++filt program, which is not shipped >> as part of GCC anyway. It's built from code which is shared between GCC and >> Binutils, but the actual c++filt program is shipped as part of binutils, >> not GCC. >> >> >>> >>> So, it's a bit confusing whether GCC-7.5.0 is affected by CVE-2021-37322 >>> or >>> not. >>> >>> Can you please help with clarification of the same? >>> >>> Thanks, >>> Vivek >>> >>
