Security fixes for opensaml2 and xmltooling

Scott Cantor cantor.2 at osu.edu
Wed Sep 23 19:48:35 UTC 2009


Florian Weimer wrote on 2009-09-23:
> * Scott Cantor:
> 
>> My point was that it's never inlined in the sense of true inlining in
>> C++. If it's virtual, the language rules ensure that it's only called
>> through the vtable, never generated inline in the caller.
> 
> This is not true, GCC has supported devirtualization for some time.
> For instance, in this example, demo() is optimized into a direct call
> to bar().

Hmm, I guess nobody updated the pages I've seen that discussed it. I don't
think devirtualization in this case would be likely, but it's not worth
worrying about now and if the called code ends up in the calling module,
that would break it anyway.

> (Please keep Cc: me, I'm not subscribed to the mailing list.  We've
> losted security@ somewhere along the way, but I don't think that it
> matters now. 8-)

Oh, sorry, I didn't want to pollute that list and didn't know you weren't on
the other one.

Anyway, thanks for correcting me. Russ filed a bug and the svn branches are
already bumped to the next minor version, so before I release again I'll go
through and fix them all.

-- Scott





More information about the Pkg-shibboleth-devel mailing list