Bug 1566788 – CVE-2018-9996 binutils: Stack-overflow in libiberty/cplus-dem.c causes crash

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1566788 - (CVE-2018-9996) CVE-2018-9996 binutils: Stack-overflow in libiberty/cplus-dem.c causes crash

Summary:	CVE-2018-9996 binutils: Stack-overflow in libiberty/cplus-dem.c causes crash

Status:	CLOSED NOTABUG

Aliases:	CVE-2018-9996

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180409,reported=2...
Keywords:	Security

Depends On:	1564294 1566789 1566790 1566791 1566792
Blocks:	1564296
	Show dependency tree / graph

Reported:	2018-04-12 21:52 EDT by Sam Fowler
Modified:	2018-05-17 18:47 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-05-17 18:47:08 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-04-12 21:52:43 EDT

GNU Binutils through version 2.30 is vulnerable to a stack-overflow in the libiberty/cplus-dem.c demangling functions demangle_template_value_parm, demangle_integral_value, and demangle_expression. An attacker could exploit this to cause a crash via a crafted file.


Upstream Bug:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304

Comment 1 Sam Fowler 2018-04-12 21:53:16 EDT

Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1566792]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1566790]
Affects: epel-all [bug 1566789]

Comment 4 Pedro Yóssis Silva Barbosa 2018-05-17 18:47:08 EDT

Tested in RHEL 7 and 6 but c++filt didn't crash with the provided PoC. It may be because without sanitizer it is necessary less stack per recursion level. In any case, as stated by upstream, it seems that all is working as designed and isn't a bug.

Note You need to log in before you can comment on or make changes to this bug.