cpp, gcc, gcc4, libf2c, libgcc, libgcj, libgcj4, libgfortran, libgnat, libgomp, libmudflap, libobjc, libstdc++ security update

CentOS Errata and Security Advisory CESA-2010:0039

The gcc and gcc4 packages include, among others, C, C++, and Java GNU
compilers and related support libraries. libgcj contains a copy of GNU
Libtool’s libltdl library.

A flaw was found in the way GNU Libtool’s libltdl library looked for
libraries to load. It was possible for libltdl to load a malicious library
from the current working directory. In certain configurations, if a local
attacker is able to trick a local user into running a Java application
(which uses a function to load native libraries, such as
System.loadLibrary) from within an attacker-controlled directory containing
a malicious library or module, the attacker could possibly execute
arbitrary code with the privileges of the user running the Java
application. (CVE-2009-3736)

All gcc and gcc4 users should upgrade to these updated packages, which
contain a backported patch to correct this issue. All running Java
applications using libgcj must be restarted for this update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2010-January/078607.html
https://lists.centos.org/pipermail/centos-announce/2010-January/078608.html
https://lists.centos.org/pipermail/centos-announce/2010-January/078619.html
https://lists.centos.org/pipermail/centos-announce/2010-January/078620.html
https://lists.centos.org/pipermail/centos-announce/2010-January/078621.html
https://lists.centos.org/pipermail/centos-announce/2010-January/078622.html

Affected packages:
cpp
gcc
gcc-c++
gcc-g77
gcc-gfortran
gcc-gnat
gcc-java
gcc-objc
gcc-objc++
gcc4
gcc4-c++
gcc4-gfortran
gcc4-java
libf2c
libgcc
libgcj
libgcj-devel
libgcj-src
libgcj4
libgcj4-devel
libgcj4-src
libgfortran
libgnat
libgomp
libmudflap
libmudflap-devel
libobjc
libstdc++
libstdc+±devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0039