Bug 1635082 (CVE-2018-17794)

Summary: CVE-2018-17794 binutils: NULL pointer dereference in libiberty/cplus-dem.c:work_stuff_copy_to_from() via crafted input
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dbaker, dvlasenk, erik-fedora, fweimer, jakub, jokerman, kanderso, klember, mcermak, mnewsome, mpolacek, nickc, ohudlick, rjones, security-response-team, sthangav, trankin, trupti_pardeshi, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:19:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1635083, 1635084, 1635085, 1635086, 1635087, 1649719, 1650474, 1650475    
Bug Blocks: 1635088, 1647427    

Description Sam Fowler 2018-10-02 04:42:48 UTC 
An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.


Upstream Bug:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
Comment 1 Sam Fowler 2018-10-02 04:43:53 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1635083]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1635085]
Affects: fedora-all [bug 1635084]
Comment 8 Trupti Pardeshi 2020-05-27 09:21:24 UTC 
Hi,

It looks like, below mentioned CVEs are related:
CVE-2018-18700
CVE-2018-18701
CVE-2018-17985
CVE-2018-17794
CVE-2018-18484

All of these CVEs redhat bugs are in open state (i.e. NEW state).

Can someone please help me to know whether GCC of RHEL 5 and RHEL 6 are affected by above mentioned CVEs? If yes, whether fix will be provided in which version of GCC for RHEL 5 and RHEL 6?

Any heads up are much appreciated.

Thanks in advance.

Best Regards,
Comment 9 Nick Clifton 2020-05-27 10:03:03 UTC 
(In reply to Trupti Pardeshi from comment #8)

> It looks like, below mentioned CVEs are related:

Indeed, they are.

> Can someone please help me to know whether GCC of RHEL 5 and RHEL 6 are
> affected by above mentioned CVEs?

Yes.  Although to be clear the problem is in the name demangling code which is part of the libiberty library.  This library is part of the GCC distribution, although the name demangling code is only rarely used (generally only when printing out informative messages).  The bug does not affect the actual compilation of code.  The libiberty library however is used by the binutils package as well, and this package does make more use of the name demangling features.  In particular one program supplied by the package - cxxfilt - is expressly intended to take mangled names and convert them into their demangled forms.  Therefore the binutils packages supplied with RHEL 5 and RHEL 6 are also affected.

> If yes, whether fix will be provided in
> which version of GCC for RHEL 5 and RHEL 6?

Currently there are no plans to provide such a fix.  The problem only manifests if a tool, eg cxxfilt, is asked to demangle a specially crafted, malformed name.  Properly mangled names, such as those generated by G++ or other compilers, will not trigger the problem.

Also it should be noted that the problem is fixed in the Developer Toolset 9 version of the binutils which is available for RHEL 6.

I hope that this information helps.
Comment 10 Trupti Pardeshi 2020-05-27 11:05:04 UTC 
(In reply to Nick Clifton from comment #9)
> (In reply to Trupti Pardeshi from comment #8)
> 
> > It looks like, below mentioned CVEs are related:
> 
> Indeed, they are.
> 
> > Can someone please help me to know whether GCC of RHEL 5 and RHEL 6 are
> > affected by above mentioned CVEs?
> 
> Yes.  Although to be clear the problem is in the name demangling code which
> is part of the libiberty library.  This library is part of the GCC
> distribution, although the name demangling code is only rarely used
> (generally only when printing out informative messages).  The bug does not
> affect the actual compilation of code.  The libiberty library however is
> used by the binutils package as well, and this package does make more use of
> the name demangling features.  In particular one program supplied by the
> package - cxxfilt - is expressly intended to take mangled names and convert
> them into their demangled forms.  Therefore the binutils packages supplied
> with RHEL 5 and RHEL 6 are also affected.
> 
> > If yes, whether fix will be provided in
> > which version of GCC for RHEL 5 and RHEL 6?
> 
> Currently there are no plans to provide such a fix.  The problem only
> manifests if a tool, eg cxxfilt, is asked to demangle a specially crafted,
> malformed name.  Properly mangled names, such as those generated by G++ or
> other compilers, will not trigger the problem.
> 
> Also it should be noted that the problem is fixed in the Developer Toolset 9
> version of the binutils which is available for RHEL 6.
> 
> I hope that this information helps.

Thank you so much Nick for prompt and clear reply.