Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 652060 (CVE-2018-9138)

Summary: sys-devel/binutils: Stack Exhaustion
Product: Gentoo Security Reporter: Michael Boyle <boylemic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: herrtimson, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=23008
Whiteboard: A3 [upstream]
Package list:
Runtime testing required: ---

Description Michael Boyle 2018-03-31 02:13:19 UTC 
CVE-2018-9138:

An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2018-04-29 19:38:09 UTC 
(In reply to Michael Boyle from comment #0)
> CVE-2018-9138:
> 
> An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the the C++
> demangling functions provided by libiberty, and there are recursive stack
> frames: demangle_nested_args, demangle_args, do_arg, and do_type.

Still under debate upstream whether this is real, no fix committed
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2018-11-30 23:09:56 UTC 
Upstream conclusion seems to be "working as expected"
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-11-30 23:55:05 UTC 
(In reply to Andreas K. Hüttel from comment #2)
> Upstream conclusion seems to be "working as expected"

Agree.