Gentoo Linux Security Advisory 202409-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202409-22- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal    Title: GCC: Flawed Code Generation     Date: September 24, 2024     Bugs: #719466       ID: 202409-22- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========A vulnerability has been discovered in GCC, which can lead to flawedcode generation.Background==========The GNU Compiler Collection includes front ends for C, C++, Objective-C,Fortran, Ada, Go, D and Modula-2 as well as libraries for theselanguages (libstdc++,...).Affected packages=================Package        Vulnerable    Unaffected-------------  ------------  ------------sys-devel/gcc  < 10.0        >= 10.0Description===========A vulnerability has been discovered in GCC. Please review the CVEidentifier referenced below for details.Impact======The POWER9 backend in GNU Compiler Collection (GCC) could optimizemultiple calls of the __builtin_darn intrinsic into a single call, thusreducing the entropy of the random number generator. This occurredbecause a volatile operation was not specified. For example, within asingle execution of a program, the output of every __builtin_darn() callmay be the same.Workaround==========There is no known workaround at this time.Resolution==========All GCC users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=sys-devel/gcc-10.0"And then select it with gcc-config:  # gcc-config latestIn this case, users should also rebuild all affected packages withemerge -e, e.g.:  # emerge --usepkg=n --emptytree @worldReferences==========[ 1 ] CVE-2019-15847      https://nvd.nist.gov/vuln/detail/CVE-2019-15847Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202409-22Concerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed [email protected] or alternatively, you may file a bug athttps://bugs.gentoo.org.License=======Copyright 2024 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5