Bug 1664709 (CVE-2018-20673) - CVE-2018-20673 libiberty: Integer overflow in demangle_template() function
Summary: CVE-2018-20673 libiberty: Integer overflow in demangle_template() function
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-20673
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1664713 1664714 1664715 1665957 1665958 1665959 1665960 1665961 1665962 1665963 Engineering1668388 Red Hat1668389 Red Hat1668390 Engineering1668391 Engineering1668392 Engineering1668393 Engineering1668394 Red Hat1668395 Red Hat1668396
Blocks: Embargoed1664716
TreeView+ depends on / blocked
 
Reported: 2019-01-09 13:44 UTC by Andrej Nemec
Modified: 2021-11-09 18:32 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-23 16:12:59 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4386 0 None None None 2021-11-09 18:32:57 UTC

Description Andrej Nemec 2019-01-09 13:44:41 UTC
An integer overflow was found in demangle_template() function in GNU libiberty. A crafted file could cause the application to crash.

Upstream issue:
https://sourceware.org/bugzilla/show_bug.cgi?id=24039

Comment 1 Andrej Nemec 2019-01-09 13:48:18 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1664713]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1664715]
Affects: fedora-all [bug 1664714]

Comment 2 Riccardo Schirone 2019-01-14 14:03:20 UTC
Upstream issue was moved to gcc project:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88783

Comment 3 Riccardo Schirone 2019-01-14 14:52:38 UTC
libiberty is embedded in at least gcc, gdb and binutils.

Comment 4 Riccardo Schirone 2019-01-14 14:55:31 UTC
Created avr-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1665957]


Created avr-gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665958]


Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665960]


Created gccxml tracking bugs for this issue:

Affects: fedora-all [bug 1665961]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 1665959]


Created gputils tracking bugs for this issue:

Affects: fedora-all [bug 1665962]


Created sdcc tracking bugs for this issue:

Affects: fedora-all [bug 1665963]

Comment 5 Riccardo Schirone 2019-01-14 16:29:09 UTC
When libiberty is compiled in 32bit mode, and size_t has a size of 4 bytes, an integer overflow is possible in demangle_template() function in cplus-dem.c, leading to an heap-based buffer overflow shortly after in the same function, that can crash the application.

Comment 7 Riccardo Schirone 2019-01-22 14:11:05 UTC
The overflow happens when allocating `work->tmpl_argvec` in demangle_template() function.

Comment 8 Riccardo Schirone 2019-01-22 16:14:11 UTC
gdb on Red Hat Enterprise Linux 7 or above and Red Hat Developer Toolset 7 or above are not affected by this flaw as they are shipped only in 64bit mode and there is no gdb devel package compiled for 32bit.

Comment 11 Sergio Durigan Junior 2019-10-23 16:12:59 UTC
Closing as NOTABUG because GDB doesn't use "demangle_template" anymore.

Comment 12 Doran Moppert 2019-12-03 04:07:41 UTC
Please do not change the status of CVE bugs; we need to record the decision not to fix on older / still supported releases.

Comment 13 Doran Moppert 2021-04-14 05:20:06 UTC
Statement:

This issue did not affect the versions of gdb as shipped with Red Hat Enterprise Linux 7 and with Red Hat Developer Toolset 7 and 8 as they are compiled only for 64bit architectures, where the flaw is not present.

This vulnerability has been rated as Low severity for Red Hat Enterprise Linux 8, as the circumstances to exploit are particularly unlikely.  A crafted binary file must be passed to one of the affected tools, in a 32-bit environment, and in a scenario where the corrupted file comes from an untrusted source.  In 64 bit environments, exploitation is not possible.

Comment 14 errata-xmlrpc 2021-11-09 18:32:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4386 https://access.redhat.com/errata/RHSA-2021:4386


Note You need to log in before you can comment on or make changes to this bug.