Bugzilla – Bug 1008266
VUL-0: CVE-2016-7420: cryptopp: Library documentation lacks treatment of -DNDEBUG and Static Initialization
Last modified: 2016-11-03 09:34:22 UTC
CVE-2016-7420 is a procedural finding due to external build systems failing to define NDEBUG for release builds. The gap was the project's failure to tell users to define NDEBUG. References: https://bugzilla.redhat.com/show_bug.cgi?id=1376696 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7420 http://seclists.org/oss-sec/2016/q3/520 http://www.openwall.com/lists/oss-security/2015/11/10/12 http://seclists.org/oss-sec/2016/q3/559 http://seclists.org/oss-sec/2016/q3/527 http://seclists.org/oss-sec/2016/q3/600 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7420.html http://www.cvedetails.com/cve/CVE-2016-7420/ http://github.com/weidai11/cryptopp/commit/823bc93357da32a3a4a2b71b9915a4e124839d18
From http://seclists.org/oss-sec/2016/q3/519 > The gap is simple: we handle sensitive information and > did not tell users that they must define -DNDEBUG when using alternate > build systems, like Autotools or CMake. The project's supported build > system, [GNU] Make, adds the define. openSUSE package uses GNU Make. Closing.