Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6879
Security update for gcc13
21 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gcc13
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2023-4039
Original Bulletin:
https://www.suse.com/support/update/announcement/2023/suse-su-20234480-1
Comment: CVSS (Max): 8.1 CVE-2023-4039 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update for gcc13
Announcement ID: SUSE-SU-2023:4480-1
Rating: important
o bsc#1206480
o bsc#1206684
o bsc#1210557
o bsc#1211427
o bsc#1212101
o bsc#1213915
o bsc#1214052
References: o bsc#1214460
o bsc#1215427
o bsc#1216664
o jsc#PED-153
o jsc#PED-2005
o jsc#PED-252
o jsc#PED-253
o jsc#PED-6584
Cross-References: o CVE-2023-4039
o CVE-2023-4039 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/
S:U/C:H/I:H/A:H
CVSS scores: o CVE-2023-4039 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/
S:U/C:L/I:L/A:N
o SUSE Linux Enterprise High Performance Computing 12 SP2
o SUSE Linux Enterprise High Performance Computing 12 SP3
o SUSE Linux Enterprise High Performance Computing 12 SP4
o SUSE Linux Enterprise High Performance Computing 12 SP5
o SUSE Linux Enterprise Server 12
o SUSE Linux Enterprise Server 12 SP1
o SUSE Linux Enterprise Server 12 SP2
Affected o SUSE Linux Enterprise Server 12 SP3
Products: o SUSE Linux Enterprise Server 12 SP4
o SUSE Linux Enterprise Server 12 SP5
o SUSE Linux Enterprise Server for SAP Applications 12
o SUSE Linux Enterprise Server for SAP Applications 12 SP1
o SUSE Linux Enterprise Server for SAP Applications 12 SP2
o SUSE Linux Enterprise Server for SAP Applications 12 SP3
o SUSE Linux Enterprise Server for SAP Applications 12 SP4
o SUSE Linux Enterprise Server for SAP Applications 12 SP5
o Toolchain Module 12
An update that solves one vulnerability, contains five features and has nine
security fixes can now be installed.
Description:
This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the "Development Tools" module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported
via the PackageHub repositories.
To use gcc13 compilers use:
o install "gcc13" or "gcc13-c++" or one of the other "gcc13-COMPILER"
frontend packages.
o override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides
for the other languages.
For a full changelog with all new GCC13 features, check out
https://gcc.gnu.org/gcc-13/changes.html
Detailed changes:
o CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
length stack allocations. (bsc#1214052)
o Work around third party app crash during C++ standard library
initialization. [bsc#1216664]
o Fixed that GCC13 fails to compile some packages with error: unrecognizable
insn (bsc#1215427)
o Bump included newlib to version 4.3.0.
o Update to GCC trunk head (r13-5254-g05b9868b182bb9)
o Redo floatn fixinclude pick-up to simply keep what is there.
o Turn cross compiler to s390x to a glibc cross. [bsc#1214460]
o Also handle -static-pie in the default-PIE specs
o Fixed missed optimization in Skia resulting in Firefox crashes when
building with LTO. [bsc#1212101]
o Make libstdc++6-devel packages own their directories since they can be
installed standalone. [bsc#1211427]
o Add new x86-related intrinsics (amxcomplexintrin.h).
o RISC-V: Add support for inlining subword atomic operations
o Use --enable-link-serialization rather that --enable-link-mutex, the
benefit of the former one is that the linker jobs are not holding tokens of
the make's jobserver.
o Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the
general state of BPF with GCC.
o Add bootstrap conditional to allow --without=bootstrap to be specified to
speed up local builds for testing.
o Bump included newlib to version 4.3.0.
o Also package libhwasan_preinit.o on aarch64.
o Configure external timezone database provided by the timezone package. Make
libstdc++6 recommend timezone to get a fully working std::chrono. Install
timezone when running the testsuite.
o Package libhwasan_preinit.o on x86_64.
o Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
o Enable PRU flavour for gcc13
o update floatn fixinclude pickup to check each header separately (bsc#
1206480)
o Redo floatn fixinclude pick-up to simply keep what is there.
o Bump libgo SONAME to libgo22.
o Do not package libhwasan for biarch (32-bit architecture) as the extension
depends on 64-bit pointers.
o Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
o Depend on at least LLVM 13 for GCN cross compiler.
o Update embedded newlib to version 4.2.0
o Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture
is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We
need to have cross-pru-gcc12 for armv7l in order to build both host
applications and PRU firmware during the same build.
Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o Toolchain Module 12
zypper in -t patch SUSE-SLE-Module-Toolchain-12-2023-4480=1
o SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4480=1
o SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4480=1
o SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4480=1
Package List:
o Toolchain Module 12 (aarch64 ppc64le s390x x86_64)
gcc13-PIE-13.2.1+git7813-1.10.1
gcc13-locale-13.2.1+git7813-1.10.1
gcc13-13.2.1+git7813-1.10.1
gcc13-fortran-13.2.1+git7813-1.10.1
gcc13-debuginfo-13.2.1+git7813-1.10.1
gcc13-c++-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-devel-gcc13-13.2.1+git7813-1.10.1
cpp13-debuginfo-13.2.1+git7813-1.10.1
gcc13-fortran-debuginfo-13.2.1+git7813-1.10.1
gcc13-c++-13.2.1+git7813-1.10.1
gcc13-debugsource-13.2.1+git7813-1.10.1
cpp13-13.2.1+git7813-1.10.1
o Toolchain Module 12 (noarch)
gcc13-info-13.2.1+git7813-1.10.1
o Toolchain Module 12 (s390x x86_64)
gcc13-c++-32bit-13.2.1+git7813-1.10.1
gcc13-32bit-13.2.1+git7813-1.10.1
gcc13-fortran-32bit-13.2.1+git7813-1.10.1
libstdc++6-devel-gcc13-32bit-13.2.1+git7813-1.10.1
o Toolchain Module 12 (x86_64)
cross-nvptx-newlib13-devel-13.2.1+git7813-1.10.1
cross-nvptx-gcc13-13.2.1+git7813-1.10.1
cross-nvptx-gcc13-debugsource-13.2.1+git7813-1.10.1
cross-nvptx-gcc13-debuginfo-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
libstdc++6-pp-13.2.1+git7813-1.10.1
libatomic1-debuginfo-13.2.1+git7813-1.10.1
libitm1-debuginfo-13.2.1+git7813-1.10.1
libgfortran5-13.2.1+git7813-1.10.1
libobjc4-13.2.1+git7813-1.10.1
liblsan0-debuginfo-13.2.1+git7813-1.10.1
libtsan2-13.2.1+git7813-1.10.1
libasan8-13.2.1+git7813-1.10.1
liblsan0-13.2.1+git7813-1.10.1
libhwasan0-debuginfo-13.2.1+git7813-1.10.1
libobjc4-debuginfo-13.2.1+git7813-1.10.1
libubsan1-debuginfo-13.2.1+git7813-1.10.1
libubsan1-13.2.1+git7813-1.10.1
libasan8-debuginfo-13.2.1+git7813-1.10.1
libitm1-13.2.1+git7813-1.10.1
libgomp1-debuginfo-13.2.1+git7813-1.10.1
libgomp1-13.2.1+git7813-1.10.1
libatomic1-13.2.1+git7813-1.10.1
libhwasan0-13.2.1+git7813-1.10.1
libgfortran5-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-13.2.1+git7813-1.10.1
libgcc_s1-13.2.1+git7813-1.10.1
libgcc_s1-debuginfo-13.2.1+git7813-1.10.1
libtsan2-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-locale-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
libgfortran5-32bit-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-32bit-13.2.1+git7813-1.10.1
libgomp1-32bit-debuginfo-13.2.1+git7813-1.10.1
libasan8-32bit-debuginfo-13.2.1+git7813-1.10.1
libquadmath0-13.2.1+git7813-1.10.1
libquadmath0-32bit-13.2.1+git7813-1.10.1
libasan8-32bit-13.2.1+git7813-1.10.1
libatomic1-32bit-debuginfo-13.2.1+git7813-1.10.1
libitm1-32bit-debuginfo-13.2.1+git7813-1.10.1
libubsan1-32bit-debuginfo-13.2.1+git7813-1.10.1
libitm1-32bit-13.2.1+git7813-1.10.1
libstdc++6-32bit-debuginfo-13.2.1+git7813-1.10.1
libatomic1-32bit-13.2.1+git7813-1.10.1
libobjc4-32bit-13.2.1+git7813-1.10.1
libgcc_s1-32bit-debuginfo-13.2.1+git7813-1.10.1
libobjc4-32bit-debuginfo-13.2.1+git7813-1.10.1
libubsan1-32bit-13.2.1+git7813-1.10.1
libstdc++6-pp-32bit-13.2.1+git7813-1.10.1
libgcc_s1-32bit-13.2.1+git7813-1.10.1
libquadmath0-32bit-debuginfo-13.2.1+git7813-1.10.1
libgfortran5-32bit-13.2.1+git7813-1.10.1
libgomp1-32bit-13.2.1+git7813-1.10.1
libquadmath0-debuginfo-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
libstdc++6-pp-13.2.1+git7813-1.10.1
libatomic1-debuginfo-13.2.1+git7813-1.10.1
libitm1-debuginfo-13.2.1+git7813-1.10.1
libgfortran5-13.2.1+git7813-1.10.1
libobjc4-13.2.1+git7813-1.10.1
liblsan0-debuginfo-13.2.1+git7813-1.10.1
libtsan2-13.2.1+git7813-1.10.1
libasan8-13.2.1+git7813-1.10.1
liblsan0-13.2.1+git7813-1.10.1
libobjc4-debuginfo-13.2.1+git7813-1.10.1
libubsan1-debuginfo-13.2.1+git7813-1.10.1
libubsan1-13.2.1+git7813-1.10.1
libasan8-debuginfo-13.2.1+git7813-1.10.1
libitm1-13.2.1+git7813-1.10.1
libgomp1-debuginfo-13.2.1+git7813-1.10.1
libgomp1-13.2.1+git7813-1.10.1
libatomic1-13.2.1+git7813-1.10.1
libgfortran5-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-13.2.1+git7813-1.10.1
libgcc_s1-13.2.1+git7813-1.10.1
libgcc_s1-debuginfo-13.2.1+git7813-1.10.1
libtsan2-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-locale-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise Server 12 SP5 (aarch64 x86_64)
libhwasan0-debuginfo-13.2.1+git7813-1.10.1
libhwasan0-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise Server 12 SP5 (ppc64le x86_64)
libquadmath0-13.2.1+git7813-1.10.1
libquadmath0-debuginfo-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise Server 12 SP5 (s390x x86_64)
libatomic1-32bit-13.2.1+git7813-1.10.1
libgfortran5-32bit-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-32bit-13.2.1+git7813-1.10.1
libasan8-32bit-13.2.1+git7813-1.10.1
libgfortran5-32bit-13.2.1+git7813-1.10.1
libitm1-32bit-13.2.1+git7813-1.10.1
libgomp1-32bit-13.2.1+git7813-1.10.1
libatomic1-32bit-debuginfo-13.2.1+git7813-1.10.1
libgomp1-32bit-debuginfo-13.2.1+git7813-1.10.1
libitm1-32bit-debuginfo-13.2.1+git7813-1.10.1
libobjc4-32bit-13.2.1+git7813-1.10.1
libgcc_s1-32bit-debuginfo-13.2.1+git7813-1.10.1
libobjc4-32bit-debuginfo-13.2.1+git7813-1.10.1
libubsan1-32bit-13.2.1+git7813-1.10.1
libstdc++6-pp-32bit-13.2.1+git7813-1.10.1
libubsan1-32bit-debuginfo-13.2.1+git7813-1.10.1
libasan8-32bit-debuginfo-13.2.1+git7813-1.10.1
libgcc_s1-32bit-13.2.1+git7813-1.10.1
libstdc++6-32bit-debuginfo-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise Server 12 SP5 (x86_64)
libquadmath0-32bit-debuginfo-13.2.1+git7813-1.10.1
libquadmath0-32bit-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
libstdc++6-pp-13.2.1+git7813-1.10.1
libatomic1-debuginfo-13.2.1+git7813-1.10.1
libitm1-debuginfo-13.2.1+git7813-1.10.1
libgfortran5-13.2.1+git7813-1.10.1
libobjc4-13.2.1+git7813-1.10.1
liblsan0-debuginfo-13.2.1+git7813-1.10.1
libquadmath0-13.2.1+git7813-1.10.1
libtsan2-13.2.1+git7813-1.10.1
libasan8-13.2.1+git7813-1.10.1
liblsan0-13.2.1+git7813-1.10.1
libobjc4-debuginfo-13.2.1+git7813-1.10.1
libubsan1-debuginfo-13.2.1+git7813-1.10.1
libubsan1-13.2.1+git7813-1.10.1
libasan8-debuginfo-13.2.1+git7813-1.10.1
libitm1-13.2.1+git7813-1.10.1
libgomp1-debuginfo-13.2.1+git7813-1.10.1
libgomp1-13.2.1+git7813-1.10.1
libatomic1-13.2.1+git7813-1.10.1
libgfortran5-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-13.2.1+git7813-1.10.1
libgcc_s1-13.2.1+git7813-1.10.1
libgcc_s1-debuginfo-13.2.1+git7813-1.10.1
libquadmath0-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-debuginfo-13.2.1+git7813-1.10.1
libtsan2-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-locale-13.2.1+git7813-1.10.1
o SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
libgfortran5-32bit-debuginfo-13.2.1+git7813-1.10.1
libstdc++6-32bit-13.2.1+git7813-1.10.1
libgomp1-32bit-debuginfo-13.2.1+git7813-1.10.1
libasan8-32bit-debuginfo-13.2.1+git7813-1.10.1
libquadmath0-32bit-13.2.1+git7813-1.10.1
libasan8-32bit-13.2.1+git7813-1.10.1
libatomic1-32bit-debuginfo-13.2.1+git7813-1.10.1
libitm1-32bit-debuginfo-13.2.1+git7813-1.10.1
libhwasan0-debuginfo-13.2.1+git7813-1.10.1
libubsan1-32bit-debuginfo-13.2.1+git7813-1.10.1
libitm1-32bit-13.2.1+git7813-1.10.1
libstdc++6-32bit-debuginfo-13.2.1+git7813-1.10.1
libatomic1-32bit-13.2.1+git7813-1.10.1
libobjc4-32bit-13.2.1+git7813-1.10.1
libgcc_s1-32bit-debuginfo-13.2.1+git7813-1.10.1
libobjc4-32bit-debuginfo-13.2.1+git7813-1.10.1
libubsan1-32bit-13.2.1+git7813-1.10.1
libstdc++6-pp-32bit-13.2.1+git7813-1.10.1
libgcc_s1-32bit-13.2.1+git7813-1.10.1
libquadmath0-32bit-debuginfo-13.2.1+git7813-1.10.1
libgfortran5-32bit-13.2.1+git7813-1.10.1
libgomp1-32bit-13.2.1+git7813-1.10.1
libhwasan0-13.2.1+git7813-1.10.1
References:
o https://www.suse.com/security/cve/CVE-2023-4039.html
o https://bugzilla.suse.com/show_bug.cgi?id=1206480
o https://bugzilla.suse.com/show_bug.cgi?id=1206684
o https://bugzilla.suse.com/show_bug.cgi?id=1210557
o https://bugzilla.suse.com/show_bug.cgi?id=1211427
o https://bugzilla.suse.com/show_bug.cgi?id=1212101
o https://bugzilla.suse.com/show_bug.cgi?id=1213915
o https://bugzilla.suse.com/show_bug.cgi?id=1214052
o https://bugzilla.suse.com/show_bug.cgi?id=1214460
o https://bugzilla.suse.com/show_bug.cgi?id=1215427
o https://bugzilla.suse.com/show_bug.cgi?id=1216664
o https://jira.suse.com/browse/PED-153
o https://jira.suse.com/browse/PED-2005
o https://jira.suse.com/browse/PED-252
o https://jira.suse.com/browse/PED-253
o https://jira.suse.com/browse/PED-6584
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZVwKlskNZI30y1K9AQifdg//ULDfKzxMb6dms1DFBCEUmmWy8ebdl3sD
I31KAi12rE0Snxy0GionCpINJKSbNWSA4B3yykCHgk1c2YlTSdUAdgX7/qCNhobE
SdqX6qCVudCPWGD8nBtI3Zv/K16baPci2ye2/BsuBQqvRNjMU+QrDgng9Fx6abpD
o4waT4VX7aPF5PiSLrbSdOez49xWmplwvPQmkEtmgM9C6RhtCJqVvE1PXe8ZQ6Vu
dXH6AsBO4EM7rxNNmuQiQq5LV/MFLIc3fSb/R4k7T6ex8k5uqdGrgqa6J6ZNykVc
X0/Dg09qdHXTq9GK4SHSfoWCqtRDNMhhuJtjigy+igkT7LmQKadlhTFlmwlojmzo
lso61vCRPggql2okjN3GYR42eD27YjGXTWWFYKYL3fFb4g315j1NETcu3MdW9HfW
BdCqqnDfp9e9Db0G8UzvKpWUxTarGKAEeCa5XcZY1fHpsL+neCHebT9QV53VRbiY
rpvWhvaJ3Wls6z9ymWtitOt9pODFq4G1odEgP486eTjVy96IstBsM+WoIiNogbl7
6ERfdfI+z1VQqeeNOiyGqlVRpRio9JD7/lVk28sUlIUkyjouwQ+AOXkgfSnUEVSr
svh885N2hwa5O7Ao/XrSXfkJwwcwy2ALyClfMYrlfiXv0fWUxlny4o1L5BRGZYdL
+hW3K11Ht84=
=fo15
-----END PGP SIGNATURE-----