CVE-2012-3509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3509): Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the "addition of CHUNK_HEADER_SIZE to the length," which triggers a heap-based buffer overflow.
i don't know who added the "remote" part of this, but i doubt that. i know of very few projects that actually link against libiberty, and pretty much none of them are accessible "remotely".
i would just close this bug as "not relevant". in order to exploit things, you need to be running these tools. there's way too many ways to crash gcc to have security issues be relevant (just search our bugzilla for ICE). if you're running gdb, it means you have full access anyways, so tracking crashers in that is dumb. there aren't as many known bugs generally in binutils, but the maintainers don't really track these issues. all in all, there are no plans on the toolchain side to go backporting the various changes that land.
GCC: ==== Upstream patch: https://github.com/gcc-mirror/gcc/commit/63d6cef520317622e38fb04be409db9ee43f9807 In Gentoo repository since >=sys-devel/gcc-4.8.0 (current stable version: 4.9.4; Repository is _not_ clean; Cleanup request is in bug 517930) binutils / gdb: =============== Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=995b61fe5b880e79b767160207fd363b125fdaa3 binutils: In Gentoo repository since >=sys-devel/binutils-2.24 (current stable version: 2.25.1-r1; Repository is clean) gdb: In Gentoo repository since >=sys-devel/gdb-7.7 (current stable version: 7.9.1; Repository is clean) No PoC for ACE/RCE, downgraded to A4. We don't consider a crash in an end-user application such as gdb to be a security flaw. GLSA Vote: No
