Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 433992 (CVE-2002-2439)

Summary: <sys-devel/gcc-4.8.0: Integer overflow can occur during the computation of the memory region size for new[] operator (CVE-2002-2439)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gcc.gnu.org/PR19351
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=853906
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351
Whiteboard: A3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-09-05 05:17:56 UTC
From red hat bugzilla at $URL:

It was reported that C++ new[] operator was previously missing integer overflow / wrap around checks for its arguments. If an application compiled with gcc accepted untrusted input for memory allocation and was missing application-level checks for integer overflows of arguments, provided to the new[] operator, an attacker could use this flaw to cause the memory region, allocated in the end for the new[] operator statement, it to be smaller than truly required, possibly leading to heap-based buffer overflows.

Upstream bug report:
[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351

Upstream patch:
[2] http://gcc.gnu.org/viewcvs?view=revision&revision=190546

Proposed upstream patch for the __cxa_vec_new yet (pending upstream review):
[3] http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01416.html

References:
[4] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35790
[5] http://cert.uni-stuttgart.de/ticker/advisories/calloc.html
Comment 1
Comment 1 Ryan Hill (RETIRED) gentoo-dev 2012-09-09 19:19:58 UTC
If anything that's a security enhancement for badly written programs, not a vulnerability itself.
Comment 2 SpanKY gentoo-dev 2012-09-10 05:29:26 UTC
it's not entirely clear whether the patch changes the ABI (they mention using a new symbol).  if it does, then we won't be doing a backport of it.
Comment 3 Agostino Sarubbo gentoo-dev 2012-11-05 19:54:39 UTC
http://gcc.gnu.org/viewcvs?view=revision&revision=193174
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-08 23:07:09 UTC
Seems to be fixed in 4.8.0.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-21 06:43:42 UTC
Bug fixed in 4.8.0 as previous comment notes.  Below is a link to redhat's bugzilla stating the impact of backporting a patch.  

@base-system and @toolchain, please advise on backport. Doubtful a cleanup is possible here for compatibility reasons.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439
Comment 6 SpanKY gentoo-dev 2016-02-21 08:05:19 UTC
no plans to backport or clean up.  gcc-4.9 is stable across the board at this point.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2017-04-17 00:45:23 UTC
GLSA Vote No

Thank you all for your work
Closing no GLSA