RLSA-2021:4585

Source
https://errata.rockylinux.org/RLSA-2021:4585
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2021:4585.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2021:4585
Related
Published
2021-11-10T08:31:42Z
Modified
2023-02-02T13:32:22.349363Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Moderate: gcc-toolset-10-gcc security update
Details

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries.

Security Fix(es):

  • Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574)

The following changes were introduced in gcc in order to facilitate detection of BiDi Unicode characters:

This update implements a new warning option -Wbidirectional to warn about possibly dangerous bidirectional characters.

There are three levels of warning supported by gcc: "-Wbidirectional=unpaired", which warns about improperly terminated BiDi contexts. (This is the default.) "-Wbidirectional=none", which turns the warning off. "-Wbidirectional=any", which warns about any use of bidirectional characters.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:8 / gcc-toolset-10-gcc

Package

Name
gcc-toolset-10-gcc
Purl
pkg:rpm/rocky-linux/gcc-toolset-10-gcc?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:10.3.1-1.2.el8_5