Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 538
Alerts This Week
Warning Icon 1 538

Red Hat 7 Moderate: RHSA-2021-4039-01 Vulnerability in devtoolset-10-gcc

red hat
Calendar Grey November 1, 2021
Dist Redhat Esm H88
A significant patch for devtoolset-10-gcc resolves BiDi Unicode flaws and improves development resources.
An update for devtoolset-10-gcc is now available for Red Hat Software Collections

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The GNU Compiler Collection (GCC) is a portable compiler suite with support for various programming languages, including C, C++, and Fortran. The devtoolset-10-gcc packages provide the Red Hat Developer Toolset 10 version of GCC, as well as related libraries.
Security Fix(es):
* Developer environment: Unicode's bidirectional (BiDi) override characterscan cause trojan source attacks (CVE-2021-42574)
The following changes were introduced in binutils in order to facilitate detection of BiDi Unicode characters:
This gcc update implements -Wbidirectional=[none|unpaired|any] to warn about possibly dangerous bidirectional characters. There are three levels of warning supported by GCC: "-Wbidirectional=unpaired", which warns about improperly terminated bidi contexts. (This is the default) "-Wbidirectional=none", turns the warning off. "-Wbidirectional=any" warns about any use of bidirectional characters.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/security/vulnerabilities/RHSB-2021-007

Package List

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: devtoolset-10-gcc-10.2.1-11.2.el7.src.rpm
ppc64: devtoolset-10-gcc-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-gcc-c++-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-gcc-debuginfo-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-gcc-gdb-plugin-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-gcc-gfortran-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-gcc-plugin-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libasan-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libatomic-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libgccjit-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libgccjit-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libgccjit-docs-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libitm-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-liblsan-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libquadmath-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libstdc++-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libstdc++-docs-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libtsan-devel-10.2.1-11.2.el7.ppc64.rpm devtoolset-10-libubsan-devel-10.2.1-11.2.el7.ppc64.rpm libasan6-10.2.1-11.2.el7.ppc64.rpm liblsan-10.2.1-11.2.el7.ppc64.rpm libtsan-10.2.1-11.2.el7.ppc64.rpm libubsan1-10.2.1-11.2.el7.ppc64.rpm
ppc64le: devtoolset-10-gcc-10.2.1-11.2.el7.ppc64le.rpm

Read the Full Advisory


Advisory ID: RHSA-2021:4039-01
Product: Red Hat Software Collections
Issue date: 2021-11-01

Topic

An update for devtoolset-10-gcc is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - ppc64, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Bugs Fixed

2005819 - CVE-2021-42574 Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.