Security News > 2020 > April > GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps

GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps
2020-04-23 10:06

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win - it snared an exploitable flaw in OpenSSL. Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team.

While the flaw is an irritation - it's not remote-code execution but it can potentially hose servers and apps - programmers may be more interested in how it was uncovered.

Edlinger credits the discovery of the bug to GCC 10's brand new static analysis feature.

That means hopefully a good number of security bugs out there will be discovered and squashed as more programmers migrate to GCC 10 and take the analyzer out for a spin.

The analyzer is available from the master branch of the GCC 10 source code.


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/23/gcc_openssl_vulnerability/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-04-21 CVE-2020-1967 NULL Pointer Dereference vulnerability in multiple products
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension.
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119