Bug 1352068 (CVE-2016-6131) - CVE-2016-6131 gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler
Summary: CVE-2016-6131 gcc,gdb,binutils,libitm: Stack overflow vulnerability in libibe...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-6131
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1352069 1352070 1352072 1352073 1352074 1352075 1352076 1352078 1352079 1352080 1352082 1352083
Blocks: 1352084
TreeView+ depends on / blocked
 
Reported: 2016-07-01 14:25 UTC by Adam Mariš
Modified: 2021-02-17 03:38 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-04 10:16:27 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2016-07-01 14:25:46 UTC
A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling.

Upstream bug:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696

Proposed patch:

https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html

CVE assignment:

http://seclists.org/oss-sec/2016/q2/633

Comment 1 Adam Mariš 2016-07-01 14:28:23 UTC
Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1352076]

Comment 2 Adam Mariš 2016-07-01 14:28:39 UTC
Created mingw-gdb tracking bugs for this issue:

Affects: fedora-all [bug 1352074]
Affects: epel-7 [bug 1352075]

Comment 3 Adam Mariš 2016-07-01 14:28:48 UTC
Created compat-gcc-296 tracking bugs for this issue:

Affects: fedora-all [bug 1352072]

Comment 4 Adam Mariš 2016-07-01 14:28:57 UTC
Created compat-gcc-34 tracking bugs for this issue:

Affects: fedora-all [bug 1352070]

Comment 5 Adam Mariš 2016-07-01 14:29:06 UTC
Created compat-gcc-32 tracking bugs for this issue:

Affects: fedora-all [bug 1352069]

Comment 6 Adam Mariš 2016-07-01 14:29:14 UTC
Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 1352073]

Comment 7 Adam Mariš 2016-07-01 14:29:22 UTC
Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1352082]
Affects: epel-all [bug 1352083]

Comment 8 Adam Mariš 2016-07-01 14:29:31 UTC
Created mingw-gcc tracking bugs for this issue:

Affects: fedora-all [bug 1352078]
Affects: epel-all [bug 1352079]

Comment 9 Adam Mariš 2016-07-01 14:29:40 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1352080]

Comment 10 Jan Kratochvil 2016-07-03 07:14:39 UTC
Why is this issue filed as a security bug?  This is an infinite recursion which leads to a stack overflow which leads only to a DoS.  No remote code execution is possible.  This is not a stack-based buffer overflow.

At least for GDB there are many knows bugs how to make it crash on a specially crafted binaries but that is still not a security vulnerability.

Comment 11 Stefan Cornelius 2016-07-04 10:07:22 UTC
I agree with comment #10, I don't think that a stack overflow qualifies as security issue in this context. I can't think of a realistic scenario where this would cross any privilege boundaries or has any real impact on system security as a whole.

Comment 13 Doran Moppert 2020-02-11 00:29:48 UTC
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.


Note You need to log in before you can comment on or make changes to this bug.