620492 – (CVE-2016-6131) <sys-devel/gcc-6.4.0 denial of service (infinite loop, stack overflow, and crash) in the libiberty demangler

Bug 620492 (CVE-2016-6131) - <sys-devel/gcc-6.4.0 denial of service (infinite loop, stack overflow, and crash) in the libiberty demangler

Summary: <sys-devel/gcc-6.4.0 denial of service (infinite loop, stack overflow, and cr...

Status:	RESOLVED FIXED

Alias:	CVE-2016-6131

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:	A3 [glsa cve]
Keywords:

Depends on:	638030
Blocks:
	Show dependency tree

Reported:	2017-06-03 09:40 UTC by Andrey Ovcharov
Modified:	2020-05-02 02:40 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
gcc-5.4-CVE-2016-6131.patch (gcc-5.4-CVE-2016-6131.patch,7.58 KB, patch) 2017-06-03 09:40 UTC, Andrey Ovcharov	no flags	Details \| Diff
gcc-6.3-CVE-2016-6131.patch (gcc-6.3-CVE-2016-6131.patch,7.76 KB, patch) 2017-06-03 09:41 UTC, Andrey Ovcharov	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrey Ovcharov 2017-06-03 09:40:35 UTC

Created attachment 475106 [details, diff]
gcc-5.4-CVE-2016-6131.patch

sys-devel/gcc-{5.4.0,5.4.0-r3,6.3.0} affected CVE-2016-6131

Comment 1 Andrey Ovcharov 2017-06-03 09:41:00 UTC

Created attachment 475108 [details, diff]
gcc-6.3-CVE-2016-6131.patch

Comment 2 Jonas Stein gentoo-dev

2017-06-03 15:59:15 UTC

Thank you!

Comment 3 Andreas K. Hüttel archtester

2017-10-03 18:50:42 UTC

Somehow this ended up in the wrong place.

Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-05 19:41:16 UTC

Thanks, how is this going? Is there any vulnerable version in tree?

I suppose that summary should have a "<" at the beginning which says that we need to clean up or mask vulnerable versions.

@Maintainers could you please confirm?

Gentoo Security Padawan
ChrisADR

Comment 5 Andreas K. Hüttel archtester

2017-10-05 19:49:56 UTC

(In reply to Christopher Díaz from comment #4)
> Thanks, how is this going? Is there any vulnerable version in tree?
> 
> I suppose that summary should have a "<" at the beginning which says that we
> need to clean up or mask vulnerable versions.

Nope, these are the vulnerable versions.

We are going to stabilize 6.4.0 soon, until then we just have to wait here.

5.4.0* will be masked sometime afterwards (for different reasons), 6.3 removed. No further cleanup.

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2019-08-10 17:28:30 UTC

please extend mask

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2020-05-02 02:40:06 UTC

mask is good.