Bug 31106

Summary:	gcc new security issues CVE-2021-3826 and CVE-2022-27943
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Thomas Backlund <tmb>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	gcc-10.4.0-3.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2022-11-10 23:52:23 CET

Fedora has issued an advisory today (November 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/

Comment 1 Thomas Backlund 2022-11-11 22:23:24 CET

For Cauldron:
CVE-2021-3826 is already fixed.

A fix for CVE-2022-27943 is queued in svn and will be pushed when I undate the gcc snapshot to 20221112 on Sunday

Comment 2 David Walser 2022-11-15 23:38:09 CET

RedHat has issued an advisory today (November 15):
https://access.redhat.com/errata/RHSA-2022:8415

Has CVE-2021-46195 been fixed already?  I haven't seen it mentioned anywhere.

Comment 3 Thomas Backlund 2022-11-19 08:56:17 CET

(In reply to David Walser from comment #2)
> RedHat has issued an advisory today (November 15):
> https://access.redhat.com/errata/RHSA-2022:8415
> 
> Has CVE-2021-46195 been fixed already?  I haven't seen it mentioned anywhere.

Yes, fix landed in gcc-12 branch as of:

commit f10bec5ffa487ad3033ed5f38cfd0fc7d696deab
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 31 14:28:42 2022 +0000

    libiberty: Fix infinite recursion in rust demangler.

Comment 4 Thomas Backlund 2022-11-19 09:41:26 CET

The code affected by CVE-2021-3826, CVE-2022-27943 and CVE-2021-46195 does not exist in Mageia 8 / gcc 10 as it came in with later libiberty code syncs

Status: NEW => RESOLVED
Version: 8 => Cauldron
Resolution: (none) => FIXED