Bug 1664709 (CVE-2018-20673)

Summary: CVE-2018-20673 libiberty: Integer overflow in demangle_template() function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bmcclain, chitlesh, cz172638, davejohansen, dbaker, dblechte, dfediuck, dmalcolm, eedri, fweimer, gdb-bugs, giallu, hdegoede, jakub, jan.kratochvil, jaromir.capik, jokerman, jwakely, kanderso, keiths, kevinb, law, mattias.ellert, mcermak, mgoldboi, mhlavink, michal.skrivanek, mnewsome, mpetlan, mpolacek, msebor, nickc, ohudlick, palves, rhbugs, rrankin, rschiron, sbonazzo, sergiodj, sherold, sthangav, thibault.north, trankin, trond.danielsen, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1665957, 1665958, 1665959, 1665960, 1665961, 1665962, 1665963, 1664713, 1664714, 1664715, 1668388, 1668389, 1668390, 1668391, 1668392, 1668393, 1668394, 1668395, 1668396    
Bug Blocks: 1664716    

Description Andrej Nemec 2019-01-09 13:44:41 UTC
An integer overflow was found in demangle_template() function in GNU libiberty. A crafted file could cause the application to crash.

Upstream issue:
https://sourceware.org/bugzilla/show_bug.cgi?id=24039

Comment 1 Andrej Nemec 2019-01-09 13:48:18 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1664713]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1664715]
Affects: fedora-all [bug 1664714]

Comment 2 Riccardo Schirone 2019-01-14 14:03:20 UTC
Upstream issue was moved to gcc project:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88783

Comment 3 Riccardo Schirone 2019-01-14 14:52:38 UTC
libiberty is embedded in at least gcc, gdb and binutils.

Comment 4 Riccardo Schirone 2019-01-14 14:55:31 UTC
Created avr-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1665957]


Created avr-gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665958]


Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665960]


Created gccxml tracking bugs for this issue:

Affects: fedora-all [bug 1665961]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 1665959]


Created gputils tracking bugs for this issue:

Affects: fedora-all [bug 1665962]


Created sdcc tracking bugs for this issue:

Affects: fedora-all [bug 1665963]

Comment 5 Riccardo Schirone 2019-01-14 16:29:09 UTC
When libiberty is compiled in 32bit mode, and size_t has a size of 4 bytes, an integer overflow is possible in demangle_template() function in cplus-dem.c, leading to an heap-based buffer overflow shortly after in the same function, that can crash the application.

Comment 7 Riccardo Schirone 2019-01-22 14:11:05 UTC
The overflow happens when allocating `work->tmpl_argvec` in demangle_template() function.

Comment 8 Riccardo Schirone 2019-01-22 16:14:11 UTC
gdb on Red Hat Enterprise Linux 7 or above and Red Hat Developer Toolset 7 or above are not affected by this flaw as they are shipped only in 64bit mode and there is no gdb devel package compiled for 32bit.

Comment 10 Riccardo Schirone 2019-01-23 08:49:39 UTC
Statement:

This issue did not affect the versions of gdb as shipped with Red Hat Enterprise Linux 7 and with Red Hat Developer Toolset 7 and 8 as they are compiled only for 64bit architectures, where the flaw is not present.