Bug 1664709 (CVE-2018-20673) - CVE-2018-20673 libiberty: Integer overflow in demangle_template() function
Summary: CVE-2018-20673 libiberty: Integer overflow in demangle_template() function
Keywords:
Status: NEW
Alias: CVE-2018-20673
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1665957 1665958 1665959 1665960 1665961 1665962 1665963 1664713 1664714 1664715 1668388 1668389 1668390 1668391 1668392 1668393 1668394 1668395 1668396
Blocks: 1664716
TreeView+ depends on / blocked
 
Reported: 2019-01-09 13:44 UTC by Andrej Nemec
Modified: 2019-09-29 15:04 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2019-01-09 13:44:41 UTC
An integer overflow was found in demangle_template() function in GNU libiberty. A crafted file could cause the application to crash.

Upstream issue:
https://sourceware.org/bugzilla/show_bug.cgi?id=24039

Comment 1 Andrej Nemec 2019-01-09 13:48:18 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1664713]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1664715]
Affects: fedora-all [bug 1664714]

Comment 2 Riccardo Schirone 2019-01-14 14:03:20 UTC
Upstream issue was moved to gcc project:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88783

Comment 3 Riccardo Schirone 2019-01-14 14:52:38 UTC
libiberty is embedded in at least gcc, gdb and binutils.

Comment 4 Riccardo Schirone 2019-01-14 14:55:31 UTC
Created avr-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1665957]


Created avr-gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665958]


Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1665960]


Created gccxml tracking bugs for this issue:

Affects: fedora-all [bug 1665961]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 1665959]


Created gputils tracking bugs for this issue:

Affects: fedora-all [bug 1665962]


Created sdcc tracking bugs for this issue:

Affects: fedora-all [bug 1665963]

Comment 5 Riccardo Schirone 2019-01-14 16:29:09 UTC
When libiberty is compiled in 32bit mode, and size_t has a size of 4 bytes, an integer overflow is possible in demangle_template() function in cplus-dem.c, leading to an heap-based buffer overflow shortly after in the same function, that can crash the application.

Comment 7 Riccardo Schirone 2019-01-22 14:11:05 UTC
The overflow happens when allocating `work->tmpl_argvec` in demangle_template() function.

Comment 8 Riccardo Schirone 2019-01-22 16:14:11 UTC
gdb on Red Hat Enterprise Linux 7 or above and Red Hat Developer Toolset 7 or above are not affected by this flaw as they are shipped only in 64bit mode and there is no gdb devel package compiled for 32bit.

Comment 10 Riccardo Schirone 2019-01-23 08:49:39 UTC
Statement:

This issue did not affect the versions of gdb as shipped with Red Hat Enterprise Linux 7 and with Red Hat Developer Toolset 7 and 8 as they are compiled only for 64bit architectures, where the flaw is not present.


Note You need to log in before you can comment on or make changes to this bug.