Bug 1664709 (CVE-2018-20673)
| Summary: | CVE-2018-20673 libiberty: Integer overflow in demangle_template() function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, bmcclain, chitlesh, cz172638, dbaker, dmalcolm, fweimer, gdb-bugs, giallu, hdegoede, jakub, jan.kratochvil, jaromir.capik, jokerman, jwakely, kanderso, keiths, kevinb, law, mattias.ellert, mcermak, mhlavink, mnewsome, mpetlan, mpolacek, msebor, nickc, ohudlick, palves, rhbugs, rrankin, rschiron, sergiodj, sthangav, thibault.north, trankin, trond.danielsen, virt-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-23 16:12:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1664713, 1664714, 1664715, 1665957, 1665958, 1665959, 1665960, 1665961, 1665962, 1665963, 1668388, 1668389, 1668390, 1668391, 1668392, 1668393, 1668394, 1668395, 1668396 | ||
| Bug Blocks: | 1664716 | ||
|
Description
Andrej Nemec
2019-01-09 13:44:41 UTC
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1664713] Created mingw-binutils tracking bugs for this issue: Affects: epel-all [bug 1664715] Affects: fedora-all [bug 1664714] Upstream issue was moved to gcc project: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88783 libiberty is embedded in at least gcc, gdb and binutils. Created avr-binutils tracking bugs for this issue: Affects: fedora-all [bug 1665957] Created avr-gcc tracking bugs for this issue: Affects: fedora-all [bug 1665958] Created gcc tracking bugs for this issue: Affects: fedora-all [bug 1665960] Created gccxml tracking bugs for this issue: Affects: fedora-all [bug 1665961] Created gdb tracking bugs for this issue: Affects: fedora-all [bug 1665959] Created gputils tracking bugs for this issue: Affects: fedora-all [bug 1665962] Created sdcc tracking bugs for this issue: Affects: fedora-all [bug 1665963] When libiberty is compiled in 32bit mode, and size_t has a size of 4 bytes, an integer overflow is possible in demangle_template() function in cplus-dem.c, leading to an heap-based buffer overflow shortly after in the same function, that can crash the application. The overflow happens when allocating `work->tmpl_argvec` in demangle_template() function. gdb on Red Hat Enterprise Linux 7 or above and Red Hat Developer Toolset 7 or above are not affected by this flaw as they are shipped only in 64bit mode and there is no gdb devel package compiled for 32bit. Closing as NOTABUG because GDB doesn't use "demangle_template" anymore. Please do not change the status of CVE bugs; we need to record the decision not to fix on older / still supported releases. Statement: This issue did not affect the versions of gdb as shipped with Red Hat Enterprise Linux 7 and with Red Hat Developer Toolset 7 and 8 as they are compiled only for 64bit architectures, where the flaw is not present. This vulnerability has been rated as Low severity for Red Hat Enterprise Linux 8, as the circumstances to exploit are particularly unlikely. A crafted binary file must be passed to one of the affected tools, in a 32-bit environment, and in a scenario where the corrupted file comes from an untrusted source. In 64 bit environments, exploitation is not possible. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4386 https://access.redhat.com/errata/RHSA-2021:4386 |