Bug 629248 (CVE-2017-13716)

Summary:	sys-devel/gcc-? via libiberty : binutils denial of service (excessive memory allocation and application crash) via a crafted file (CVE-2017-13716)
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	toolchain
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://sourceware.org/bugzilla/show_bug.cgi?id=22009
Whiteboard:	A3 [noglsa cve]
Package list:		Runtime testing required:	---

Description D'juan McDonald (domhnall) 2017-08-29 00:46:58 UTC

From ${URL}:

The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).

Upstream Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22009

CVE Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13716

Comment 1 Andreas K. Hüttel archtester

2017-09-15 18:56:17 UTC

2.29 only just got keyworded, so let's give it some waiting time.

Comment 2 Andreas K. Hüttel archtester

2017-10-04 10:08:30 UTC

From upstream: 

  This is a bug in the C++ demangler, which is part of the libiberty sources.
  These sources are managed by the GCC project, so please could you refile
  this bug report with the GCC bugzilla system ?  Thanks.

Comment 3 Yury German Gentoo Infrastructure

2019-03-12 05:48:50 UTC

This should be ready to close. Please confirm.

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2019-12-29 14:45:52 UTC

ok to close

Comment 5 Andreas K. Hüttel archtester

2021-01-12 18:05:45 UTC

@security: please close

Comment 6 Sam James archtester

2021-01-12 18:42:50 UTC

Long obsolete.