Bug 1664709 (CVE-2018-20673)

Summary: CVE-2018-20673 libiberty: Integer overflow in demangle_template() function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bmcclain, chitlesh, cz172638, davejohansen, dbaker, dblechte, dfediuck, dmalcolm, eedri, fweimer, gdb-bugs, giallu, hdegoede, jakub, jan.kratochvil, jaromir.capik, jokerman, jwakely, kanderso, keiths, kevinb, law, mattias.ellert, mcermak, mgoldboi, mhlavink, michal.skrivanek, mnewsome, mpetlan, mpolacek, msebor, nickc, ohudlick, palves, rhbugs, rrankin, rschiron, sbonazzo, sergiodj, sherold, sthangav, thibault.north, trankin, trond.danielsen, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20181227,reported=20190104,source=cve,cvss3=5.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L,cwe=CWE-190->CWE-122,fedora-all/binutils=affected,fedora-all/mingw-binutils=affected,epel-all/mingw-binutils=affected,rhel-5/binutils=wontfix,rhel-6/binutils=wontfix,rhel-7/binutils=wontfix,dts-7/devtoolset-7-binutils=wontfix,dts-8/devtoolset-8-binutils=affected,openshift-online-3/binutils=defer,rhel-8/binutils=wontfix,rhel-8/mingw-binutils=wontfix,fedora-all/avr-binutils=affected,fedora-all/avr-gcc=affected,fedora-all/gdb=affected,rhel-5/gdb=wontfix,rhel-6/gdb=wontfix,rhel-7/gdb=notaffected,rhev-m-4/gdb=new,openshift-online-3/gdb=notaffected,rhel-8/gdb=notaffected,dts-7/devtoolset-7-gdb=notaffected,dts-8/devtoolset-8-gdb=notaffected,fedora-all/gcc=affected,rhel-5/gcc=wontfix,rhel-6/gcc=wontfix,rhel-7/gcc=wontfix,rhel-8/gcc=wontfix,dts-7/devtoolset-7-gcc=wontfix,dts-8/devtoolset-8-gcc=affected,openshift-online-3/gcc=defer,fedora-all/gccxml=affected,fedora-all/gputils=affected,fedora-all/sdcc=affected,rhev-m-4/gcc=new
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1665957, 1665958, 1665959, 1665960, 1665961, 1665962, 1665963, 1664713, 1664714, 1664715, 1668388, 1668389, 1668390, 1668391, 1668392, 1668393, 1668394, 1668395, 1668396    
Bug Blocks: 1664716    

Description Andrej Nemec 2019-01-09 13:44:41 UTC
An integer overflow was found in demangle_template() function in GNU libiberty. A crafted file could cause the application to crash.

Upstream issue:

Comment 1 Andrej Nemec 2019-01-09 13:48:18 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1664713]

Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1664715]
Affects: fedora-all [bug 1664714]

Comment 2 Riccardo Schirone 2019-01-14 14:03:20 UTC
Upstream issue was moved to gcc project:

Comment 3 Riccardo Schirone 2019-01-14 14:52:38 UTC
libiberty is embedded in at least gcc, gdb and binutils.

Comment 4 Riccardo Schirone 2019-01-14 14:55:31 UTC
Created avr-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1665957]

Created avr-gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665958]

Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665960]

Created gccxml tracking bugs for this issue:

Affects: fedora-all [bug 1665961]

Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 1665959]

Created gputils tracking bugs for this issue:

Affects: fedora-all [bug 1665962]

Created sdcc tracking bugs for this issue:

Affects: fedora-all [bug 1665963]

Comment 5 Riccardo Schirone 2019-01-14 16:29:09 UTC
When libiberty is compiled in 32bit mode, and size_t has a size of 4 bytes, an integer overflow is possible in demangle_template() function in cplus-dem.c, leading to an heap-based buffer overflow shortly after in the same function, that can crash the application.

Comment 7 Riccardo Schirone 2019-01-22 14:11:05 UTC
The overflow happens when allocating `work->tmpl_argvec` in demangle_template() function.

Comment 8 Riccardo Schirone 2019-01-22 16:14:11 UTC
gdb on Red Hat Enterprise Linux 7 or above and Red Hat Developer Toolset 7 or above are not affected by this flaw as they are shipped only in 64bit mode and there is no gdb devel package compiled for 32bit.

Comment 10 Riccardo Schirone 2019-01-23 08:49:39 UTC

This issue did not affect the versions of gdb as shipped with Red Hat Enterprise Linux 7 and with Red Hat Developer Toolset 7 and 8 as they are compiled only for 64bit architectures, where the flaw is not present.