GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources. References: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98886 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841 https://nvd.nist.gov/vuln/detail/CVE-2021-46195
Note - a patch to fix this bug has been proposed here: https://gcc.gnu.org/pipermail/gcc-patches/2022-January/589277.html Also note that although this CVE refers to GCC, the problem also affects the Binutils packages. The severity of the CVE might be to high however. The problem is only triggered when deliberately corrupt input is passed to a tool that attempts to demangle symbol names. Normal users should never encounter this problem.
Sorry, I meant ..."might be too high"...
Thanks Nick, I lowered the severity of the flaw as per your previous comment.
Upstream commit: https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=f10bec5ffa487ad3033ed5f38cfd0fc7d696deab
Created gcc tracking bugs for this issue: Affects: fedora-all [bug 2054887] Created mingw-gcc tracking bugs for this issue: Affects: fedora-all [bug 2054888]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8415 https://access.redhat.com/errata/RHSA-2022:8415
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-46195