Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1566788 (CVE-2018-9996) - CVE-2018-9996 binutils: Stack-overflow in libiberty/cplus-dem.c causes crash
Summary: CVE-2018-9996 binutils: Stack-overflow in libiberty/cplus-dem.c causes crash
Alias: CVE-2018-9996
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1564294 1566789 1566790 1566791 1566792
Blocks: 1564296
TreeView+ depends on / blocked
Reported: 2018-04-13 01:52 UTC by Sam Fowler
Modified: 2021-02-17 00:30 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-17 22:47:08 UTC

Attachments (Terms of Use)

Description Sam Fowler 2018-04-13 01:52:43 UTC
GNU Binutils through version 2.30 is vulnerable to a stack-overflow in the libiberty/cplus-dem.c demangling functions demangle_template_value_parm, demangle_integral_value, and demangle_expression. An attacker could exploit this to cause a crash via a crafted file.

Upstream Bug:


Comment 1 Sam Fowler 2018-04-13 01:53:16 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1566792]

Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1566790]
Affects: epel-all [bug 1566789]

Comment 4 Pedro Yóssis Silva Barbosa 2018-05-17 22:47:08 UTC
Tested in RHEL 7 and 6 but c++filt didn't crash with the provided PoC. It may be because without sanitizer it is necessary less stack per recursion level. In any case, as stated by upstream, it seems that all is working as designed and isn't a bug.

Comment 5 Doran Moppert 2020-02-11 00:30:31 UTC

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.

Note You need to log in before you can comment on or make changes to this bug.