Bug 1202918 - (CVE-2020-35536) VUL-1: CVE-2020-35536: gcc10,gcc48,gcc11,gcc43,gcc,gcc9,gcc7,gcc8,gcc33: Internal compiler error in match_reload function at lra-constraints.c
VUL-1: CVE-2020-35536: gcc10,gcc48,gcc11,gcc43,gcc,gcc9,gcc7,gcc8,gcc33: Inte...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Richard Biener
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-08-30 12:20 UTC by Thomas Leroy
Modified: 2022-08-31 07:58 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Thomas Leroy 2022-08-30 12:23:28 UTC
Fixed have been included in v10.1.0, and the commit introducing the bug is likely this one [0] introduced in v4.8.0. So I would say that the following codestreams are affected:

- SUSE:SLE-11-SP1:Update:Teradata/gcc48
- SUSE:SLE-12:Update/gcc48
- SUSE:SLE-15:Update/gcc7
- SUSE:SLE-15:Update/gcc8
- SUSE:SLE-15:Update/gcc9

[0] https://github.com/gcc-mirror/gcc/commit/55a2c3226a3e90a6d65f19710bab1ac377054234
Comment 2 Michael Matz 2022-08-30 12:40:57 UTC
This is no security problem.  If a CVE was assigned then that's nonsense, but was
it actually? :

  has no info, and
  says "CVE ID Not Found".

If it were a CVE it would need to be disputed, this is a normal compiler bug
on invalid input.

(How did we become aware of this one?  Is someone scraping bullshit CVE entries
for busy work?)
Comment 5 Michael Matz 2022-08-30 13:43:09 UTC
Just to be very clear, at least once: we are not going to touch any gcc package
for an internal compiler error.  It's basically the fancy form of an abort(3).  It's not a crash as the confused original bug report claims or anything similar.
This all works exactly as designed.  And if it were a crash (which it is not)
we still wouldn't touch anything, as it again wouldn't have any security

If you want you can close them all with WONTFIX right away.
Comment 6 Thomas Leroy 2022-08-31 07:58:39 UTC
As seen with the team and with Michael, this is not a security issue. Closing