Bug 31106 - gcc new security issues CVE-2021-3826 and CVE-2022-27943
Summary: gcc new security issues CVE-2021-3826 and CVE-2022-27943
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thomas Backlund
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-10 23:52 CET by David Walser
Modified: 2022-11-19 09:41 CET (History)
0 users

See Also:
Source RPM: gcc-10.4.0-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Thomas Backlund 2022-11-11 22:23:24 CET 
For Cauldron:
CVE-2021-3826 is already fixed.

A fix for CVE-2022-27943 is queued in svn and will be pushed when I undate the gcc snapshot to 20221112 on Sunday
Comment 2 David Walser 2022-11-15 23:38:09 CET 
RedHat has issued an advisory today (November 15):
https://access.redhat.com/errata/RHSA-2022:8415

Has CVE-2021-46195 been fixed already?  I haven't seen it mentioned anywhere.
Comment 3 Thomas Backlund 2022-11-19 08:56:17 CET 
(In reply to David Walser from comment #2)
> RedHat has issued an advisory today (November 15):
> https://access.redhat.com/errata/RHSA-2022:8415
> 
> Has CVE-2021-46195 been fixed already?  I haven't seen it mentioned anywhere.

Yes, fix landed in gcc-12 branch as of:

commit f10bec5ffa487ad3033ed5f38cfd0fc7d696deab
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 31 14:28:42 2022 +0000

    libiberty: Fix infinite recursion in rust demangler.
Comment 4 Thomas Backlund 2022-11-19 09:41:26 CET 
The code affected by CVE-2021-3826, CVE-2022-27943 and CVE-2021-46195 does not exist in Mageia 8 / gcc 10 as it came in with later libiberty code syncs

Status: NEW => RESOLVED
Version: 8 => Cauldron
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.