On Tue, 22 Apr 2008, Mark Mitchell wrote: > Chad Dougherty wrote: > > > The vulnerability note has been significantly reworked to focus on the issue > > of undefined behavior handling in the compiler and the fact that conforming > > implementations are not required to warn of this condition. I've tried to > > incorporate many of the valid concerns that were raise on this list in > > response to the original vulnerability note. > > Thank you for making the update; this is a big improvement. > > However, I'm surprised that only GCC is listed as "vulnerable" at the bottom > of the page. We've provided information about a lot of other compilers that > do the same optimization. Why is the status for compilers from Microsoft, > Intel, IBM, etc. listed as "Unknown" instead of "Vulnerable"? > > -- > Mark Mitchell > CodeSourcery > [EMAIL PROTECTED] > (650) 331-3385 x713
Additionally, the linked to notes for GCC are reflective of the original innaccuracies: http://www.kb.cert.org/vuls/id/CRDY-7DWKWM Vendor Statement No statement is currently available from the vendor regarding this vulnerability. US-CERT Addendum Vendors and developers using the GNU C compiler should consider downgrading their version of gcc or sticking with versions of the gcc compiler (before version 4.1) that do not perform the offending optimization. In the case of gcc, it should be emphasized that this is a change of behavior in the later versions of the compiler. Later, Brad
