Bug 1352068 (CVE-2016-6131)

Summary: CVE-2016-6131 gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: davejohansen, erik-fedora, fedora-mingw, fedora, gbenson, gdb-bugs, jakub, jan.kratochvil, jwakely, klember, ktietz, law, mjw, mpolacek, nickc, ohudlick, palves, pmuldoon, rjones, sardella, sergiodj, slawomir, tom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-04 10:16:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1352069, 1352070, 1352072, 1352073, 1352074, 1352075, 1352076, 1352078, 1352079, 1352080, 1352082, 1352083    
Bug Blocks: 1352084    

Description Adam Mariš 2016-07-01 14:25:46 UTC 
A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling.

Upstream bug:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696

Proposed patch:

https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html

CVE assignment:

http://seclists.org/oss-sec/2016/q2/633
Comment 1 Adam Mariš 2016-07-01 14:28:23 UTC 
Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1352076]
Comment 2 Adam Mariš 2016-07-01 14:28:39 UTC 
Created mingw-gdb tracking bugs for this issue:

Affects: fedora-all [bug 1352074]
Affects: epel-7 [bug 1352075]
Comment 3 Adam Mariš 2016-07-01 14:28:48 UTC 
Created compat-gcc-296 tracking bugs for this issue:

Affects: fedora-all [bug 1352072]
Comment 4 Adam Mariš 2016-07-01 14:28:57 UTC 
Created compat-gcc-34 tracking bugs for this issue:

Affects: fedora-all [bug 1352070]
Comment 5 Adam Mariš 2016-07-01 14:29:06 UTC 
Created compat-gcc-32 tracking bugs for this issue:

Affects: fedora-all [bug 1352069]
Comment 6 Adam Mariš 2016-07-01 14:29:14 UTC 
Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 1352073]
Comment 7 Adam Mariš 2016-07-01 14:29:22 UTC 
Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1352082]
Affects: epel-all [bug 1352083]
Comment 8 Adam Mariš 2016-07-01 14:29:31 UTC 
Created mingw-gcc tracking bugs for this issue:

Affects: fedora-all [bug 1352078]
Affects: epel-all [bug 1352079]
Comment 9 Adam Mariš 2016-07-01 14:29:40 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1352080]
Comment 10 Jan Kratochvil 2016-07-03 07:14:39 UTC 
Why is this issue filed as a security bug?  This is an infinite recursion which leads to a stack overflow which leads only to a DoS.  No remote code execution is possible.  This is not a stack-based buffer overflow.

At least for GDB there are many knows bugs how to make it crash on a specially crafted binaries but that is still not a security vulnerability.
Comment 11 Stefan Cornelius 2016-07-04 10:07:22 UTC 
I agree with comment #10, I don't think that a stack overflow qualifies as security issue in this context. I can't think of a realistic scenario where this would cross any privilege boundaries or has any real impact on system security as a whole.
Comment 13 Doran Moppert 2020-02-11 00:29:48 UTC 
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.