Bug 1645957 (CVE-2018-18483)

Summary: CVE-2018-18483 binutils: Integer overflow in cplus-dem.c:get_count() allows for denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dbaker, dvlasenk, erik-fedora, fweimer, jakub, jokerman, kanderso, klember, mcermak, mnewsome, mpolacek, nickc, ohudlick, rjones, security-response-team, sthangav, trankin, trupti_pardeshi, virt-maint, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:21:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1645961, 1645963, 1645965, 1645966, 1650333, 1653849, 1654027    
Bug Blocks: 1647427    

Description Sam Fowler 2018-11-05 05:14:31 UTC 
The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.


Upstream Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
https://sourceware.org/bugzilla/show_bug.cgi?id=23767
Comment 1 Sam Fowler 2018-11-05 05:20:28 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1645961]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1645963]
Comment 4 Scott Gayou 2018-11-15 21:19:50 UTC 
Trivial to reproduce, binutils220 does not package c++filt.
Comment 9 Trupti Pardeshi 2020-05-27 09:13:27 UTC 
Can someone please help to know whether GCC of RHEL 5 and RHEL 6 are affected by this issue? If yes, whether fix will be provided in which version of GCC for RHEL 5 and RHEL 6?

Any heads up are much appreciated.

Thanks in advance.

Best Regards,
Comment 10 Nick Clifton 2020-05-27 10:10:59 UTC 
(In reply to Trupti Pardeshi from comment #9)
> Can someone please help to know whether GCC of RHEL 5 and RHEL 6 are
> affected by this issue?

Yes they are.  (Although to be clear it is the binutils packages for RHEL 5 and RHEL 6 which are most affected by the problem, even though the bug is in the libiberty library which part of the GCC project).

> If yes, whether fix will be provided in which
> version of GCC for RHEL 5 and RHEL 6?

Currently there are no plans to provide a fix for this CVE.

Since the problem only manifests in 32-bit environments, and only when asked to demangle a specially created, corrupt name, there does not appear to be a pressing need to create a fix for this problem.
Comment 11 Trupti Pardeshi 2020-05-27 11:04:17 UTC 
(In reply to Nick Clifton from comment #10)
> (In reply to Trupti Pardeshi from comment #9)
> > Can someone please help to know whether GCC of RHEL 5 and RHEL 6 are
> > affected by this issue?
> 
> Yes they are.  (Although to be clear it is the binutils packages for RHEL 5
> and RHEL 6 which are most affected by the problem, even though the bug is in
> the libiberty library which part of the GCC project).
> 
> > If yes, whether fix will be provided in which
> > version of GCC for RHEL 5 and RHEL 6?
> 
> Currently there are no plans to provide a fix for this CVE.
> 
> Since the problem only manifests in 32-bit environments, and only when asked
> to demangle a specially created, corrupt name, there does not appear to be a
> pressing need to create a fix for this problem.

Thank you so much Nick for prompt and clear reply.