1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202409-22 ] GCC: Flawed Code Generation

    From glsamaker@gentoo.org@21:1/5 to All on Tue Sep 24 07:20:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202409-22
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: GCC: Flawed Code Generation
    Date: September 24, 2024
    Bugs: #719466
    ID: 202409-22

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in GCC, which can lead to flawed
    code generation.

    Background
    ==========

    The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Ada, Go, D and Modula-2 as well as libraries for these
    languages (libstdc++,...).

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------- ------------ ------------
    sys-devel/gcc < 10.0 >= 10.0

    Description
    ===========

    A vulnerability has been discovered in GCC. Please review the CVE
    identifier referenced below for details.

    Impact
    ======

    The POWER9 backend in GNU Compiler Collection (GCC) could optimize
    multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred
    because a volatile operation was not specified. For example, within a
    single execution of a program, the output of every __builtin_darn() call
    may be the same.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All GCC users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-devel/gcc-10.0"

    And then select it with gcc-config:

    # gcc-config latest

    In this case, users should also rebuild all affected packages with
    emerge -e, e.g.:

    # emerge --usepkg=n --emptytree @world

    References
    ==========

    [ 1 ] CVE-2019-15847
    https://nvd.nist.gov/vuln/detail/CVE-2019-15847

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202409-22

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmbySiMACgkQFMQkOaVy +9ldFg//aon5fkCHRkw8AJ5R0jRVioSElofw49VSfJywgLNmhPD+dCLs5K2KdDzx 2WJOEkW+1cIj8pkXVSf5qtUPCn+DXvNkJyHSGOWQSZ3KVbVb69yoRw8Rx9NzzoDu R5T4HT2X8SSfLzQ+02yksGQcAuYW6X/WLL/F0HXUYYvsM5IJ6BcCcF84UAebiWYq UJ/9rcF1djp1ZVuMLbNfzH4mJAs07oDeQlm7c097bROl250VnMGTTPQc7kidXuMb 9q+fSpEeNEa90VuIEuHLCtnm7mfUq4X5YYL7qv2VkFfueImKjqF8Cz7Kuj2FA9HA NClk9B5c8xAwCQnUl5KSjtvetZVpeEZrJt1ZjWrerqYajsh5Uru5tZa8s2Ztxyri hXOaTZwSNzrPk0Ti2mZ2qe3eGN0suWU9IWNFaNQwzd06zx48FAVGinrFPcpcWZnN +bQuQwzSXkz9y9DXs0GmjiuIqHd0MEFolnjvrSBYSgDO758TNBGpfoKBkhMW8suS LnKWIhBUDpuhoJQNZyxMaZmm7BxKSe5/rnzD4B2xivMaaWSHCib4wqs8DLorF7Ay Zb4gkylwI0CHovW+iMUNc/Q0FN43xfn3DRJTbWQkkI8xHVtN03OxlSs5z46cSjgm HooujKoGWSGLA2YsKzoxRB24mabbxycQ6/XJ3PELTTpXcKev3AA=
    =Nw9T
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)