Bug 661154 (CVE-2018-12934, CVE-2018-9996)

Summary:	sys-devel/binutils: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	bertrand, toolchain
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A3 [upstream cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2018-07-14 16:23:59 UTC Comment hidden (obsolete)

CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
  An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
  GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
  provided by libiberty, and there are recursive stack frames:
  demangle_template_value_parm, demangle_integral_value, and
  demangle_expression.

CVE-2018-9138 (https://nvd.nist.gov/vuln/detail/CVE-2018-9138):
  An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
  GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling
  functions provided by libiberty, and there are recursive stack frames:
  demangle_nested_args, demangle_args, do_arg, and do_type.

CVE-2018-13033 (https://nvd.nist.gov/vuln/detail/CVE-2018-13033):
  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.30, allows remote attackers to cause a denial of service
  (excessive memory allocation and application crash) via a crafted ELF file,
  as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc
  in libbfd.c. This can occur during execution of nm.

CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
  remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
  Binutils 2.30, allows attackers to trigger excessive memory consumption (aka
  OOM). This can occur during execution of cxxfilt.

CVE-2018-12700 (https://nvd.nist.gov/vuln/detail/CVE-2018-12700):
  A Stack Exhaustion issue was discovered in debug_write_type in debug.c in
  GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.

CVE-2018-12699 (https://nvd.nist.gov/vuln/detail/CVE-2018-12699):
  finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a
  denial of service (heap-based buffer overflow) or possibly have unspecified
  other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can
  occur during execution of objdump.

CVE-2018-12698 (https://nvd.nist.gov/vuln/detail/CVE-2018-12698):
  demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU
  Binutils 2.30, allows attackers to trigger excessive memory consumption (aka
  OOM) during the "Create an array for saving the template argument values"
  XNEWVEC call. This can occur during execution of objdump.

CVE-2018-12697 (https://nvd.nist.gov/vuln/detail/CVE-2018-12697):
  A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was
  discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as
  distributed in GNU Binutils 2.30. This can occur during execution of
  objdump.

CVE-2018-12641 (https://nvd.nist.gov/vuln/detail/CVE-2018-12641):
  An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as
  distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++
  demangling functions provided by libiberty, and there are recursive stack
  frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type,
  do_type, do_arg, demangle_args, and demangle_nested_args. This can occur
  during execution of nm-new.

CVE-2018-10535 (https://nvd.nist.gov/vuln/detail/CVE-2018-10535):
  The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate
  the output_section pointer in the case of a symtab entry with a "SECTION"
  type that has a "0" value, which allows remote attackers to cause a denial
  of service (NULL pointer dereference and application crash) via a crafted
  file, as demonstrated by objcopy.

CVE-2018-10534 (https://nvd.nist.gov/vuln/detail/CVE-2018-10534):
  The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
  Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.30, processes a negative Data Directory size with an unbounded
  loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
  that the address exceeds its own memory region, resulting in an
  out-of-bounds memory write, as demonstrated by objcopy copying private info
  with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.

CVE-2018-10373 (https://nvd.nist.gov/vuln/detail/CVE-2018-10373):
  concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka
  libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to
  cause a denial of service (NULL pointer dereference and application crash)
  via a crafted binary file, as demonstrated by nm-new.

CVE-2018-10372 (https://nvd.nist.gov/vuln/detail/CVE-2018-10372):
  process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
  to cause a denial of service (heap-based buffer over-read and application
  crash) via a crafted binary file, as demonstrated by readelf.

Comment 1 Andreas K. Hüttel archtester

2018-12-04 22:55:48 UTC Comment hidden (obsolete)

(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
>   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
>   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
>   provided by libiberty, and there are recursive stack frames:
>   demangle_template_value_parm, demangle_integral_value, and
>   demangle_expression.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
No action upstream so far.

> 
> CVE-2018-9138 (https://nvd.nist.gov/vuln/detail/CVE-2018-9138):
>   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
>   GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling
>   functions provided by libiberty, and there are recursive stack frames:
>   demangle_nested_args, demangle_args, do_arg, and do_type.

https://sourceware.org/bugzilla/show_bug.cgi?id=23008
No action upstream so far.

> 
> CVE-2018-13033 (https://nvd.nist.gov/vuln/detail/CVE-2018-13033):
>   The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
> GNU
>   Binutils 2.30, allows remote attackers to cause a denial of service
>   (excessive memory allocation and application crash) via a crafted ELF file,
>   as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc
>   in libbfd.c. This can occur during execution of nm.

https://sourceware.org/bugzilla/show_bug.cgi?id=23361
"fixed with commit 95a6d235661"
* fixed for >=sys-devel/binutils-2.31.1
* cherry-picked for gentoo/binutils-2.30 branch

> 
> CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
>   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
>   Binutils 2.30, allows attackers to trigger excessive memory consumption
> (aka
>   OOM). This can occur during execution of cxxfilt.

Problem is in libiberty.

> 
> CVE-2018-12700 (https://nvd.nist.gov/vuln/detail/CVE-2018-12700):
>   A Stack Exhaustion issue was discovered in debug_write_type in debug.c in
>   GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.

Problem is in libiberty.

> 
> CVE-2018-12699 (https://nvd.nist.gov/vuln/detail/CVE-2018-12699):
>   finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a
>   denial of service (heap-based buffer overflow) or possibly have unspecified
>   other impact, as demonstrated by an out-of-bounds write of 8 bytes. This
> can
>   occur during execution of objdump.

Problem is in libiberty.

> 
> CVE-2018-12698 (https://nvd.nist.gov/vuln/detail/CVE-2018-12698):
>   demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU
>   Binutils 2.30, allows attackers to trigger excessive memory consumption
> (aka
>   OOM) during the "Create an array for saving the template argument values"
>   XNEWVEC call. This can occur during execution of objdump.

Problem is in libiberty.

> 
> CVE-2018-12697 (https://nvd.nist.gov/vuln/detail/CVE-2018-12697):
>   A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was
>   discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as
>   distributed in GNU Binutils 2.30. This can occur during execution of
>   objdump.

Problem is in libiberty.

> 
> CVE-2018-12641 (https://nvd.nist.gov/vuln/detail/CVE-2018-12641):
>   An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as
>   distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++
>   demangling functions provided by libiberty, and there are recursive stack
>   frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type,
>   do_type, do_arg, demangle_args, and demangle_nested_args. This can occur
>   during execution of nm-new.

Problem is in libiberty.

> 
> CVE-2018-10535 (https://nvd.nist.gov/vuln/detail/CVE-2018-10535):
>   The ignore_section_sym function in elf.c in the Binary File Descriptor
> (BFD)
>   library (aka libbfd), as distributed in GNU Binutils 2.30, does not
> validate
>   the output_section pointer in the case of a symtab entry with a "SECTION"
>   type that has a "0" value, which allows remote attackers to cause a denial
>   of service (NULL pointer dereference and application crash) via a crafted
>   file, as demonstrated by objcopy.

Fixed in db0c309f4011ca94a4abc8458e27f3734dab92ac
* Fixed in >=sys-devel/binutils-2.31
* cherry-picked for the gentoo/binutils-2.30 branch

> 
> CVE-2018-10534 (https://nvd.nist.gov/vuln/detail/CVE-2018-10534):
>   The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
>   Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
>   Binutils 2.30, processes a negative Data Directory size with an unbounded
>   loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
>   that the address exceeds its own memory region, resulting in an
>   out-of-bounds memory write, as demonstrated by objcopy copying private info
>   with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.

Fixed in aa4a8c2a2a67545e90c877162c53cc9de42dc8b4
* Fixed in >=sys-devel/binutils-2.31
* cherry-picked for the gentoo/binutils-2.30 branch

> 
> CVE-2018-10373 (https://nvd.nist.gov/vuln/detail/CVE-2018-10373):
>   concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library
> (aka
>   libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to
>   cause a denial of service (NULL pointer dereference and application crash)
>   via a crafted binary file, as demonstrated by nm-new.

Fixed in 6327533b1fd29fa86f6bf34e61c332c010e3c689
* Fixed in >=sys-devel/binutils-2.31
* cherry-picked for the gentoo/binutils-2.30 branch

> 
> CVE-2018-10372 (https://nvd.nist.gov/vuln/detail/CVE-2018-10372):
>   process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
>   to cause a denial of service (heap-based buffer over-read and application
>   crash) via a crafted binary file, as demonstrated by readelf.

Fixed in 6aea08d9f3e3d6475a65454da488a0c51f5dc97d
* Fixed in >=sys-devel/binutils-2.31
* cherry-picked for the gentoo/binutils-2.30 branch

Comment 2 tt_1 2019-03-04 07:44:54 UTC

I think most of the libiberty related problems where solved in gcc: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=266886

and it seems even gcc-8.3.0 needs them?

Comment 3 Andreas K. Hüttel archtester

2019-03-24 21:42:02 UTC Comment hidden (obsolete)

(In reply to Andreas K. Hüttel from comment #1)
> (In reply to GLSAMaker/CVETool Bot from comment #0)
> > CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
> >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> >   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
> >   provided by libiberty, and there are recursive stack frames:
> >   demangle_template_value_parm, demangle_integral_value, and
> >   demangle_expression.
> 
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
> No action upstream so far.
Dito

> > CVE-2018-9138 (https://nvd.nist.gov/vuln/detail/CVE-2018-9138):
> >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> >   GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling
> >   functions provided by libiberty, and there are recursive stack frames:
> >   demangle_nested_args, demangle_args, do_arg, and do_type.
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=23008
> No action upstream so far.
Nick Clifton 2018-12-07 13:37:08 UTC
Fixed by recent merge with gcc libiberty sources.
=> fixed in gentoo 2.32 branch

> > CVE-2018-13033 (https://nvd.nist.gov/vuln/detail/CVE-2018-13033):
> >   The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
> > GNU
> >   Binutils 2.30, allows remote attackers to cause a denial of service
> >   (excessive memory allocation and application crash) via a crafted ELF file,
> >   as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc
> >   in libbfd.c. This can occur during execution of nm.
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=23361
> "fixed with commit 95a6d235661"
> * fixed for >=sys-devel/binutils-2.31.1
> * cherry-picked for gentoo/binutils-2.30 branch

> > CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
> >   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
> >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > (aka
> >   OOM). This can occur during execution of cxxfilt.
> 
> Problem is in libiberty.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
No action yet.

> > CVE-2018-12700 (https://nvd.nist.gov/vuln/detail/CVE-2018-12700):
> >   A Stack Exhaustion issue was discovered in debug_write_type in debug.c in
> >   GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
> 
> Problem is in libiberty.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
"Fixed with commit 266886."

> > CVE-2018-12699 (https://nvd.nist.gov/vuln/detail/CVE-2018-12699):
> >   finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a
> >   denial of service (heap-based buffer overflow) or possibly have unspecified
> >   other impact, as demonstrated by an out-of-bounds write of 8 bytes. This
> > can
> >   occur during execution of objdump.
> 
> Problem is in libiberty.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
"Fixed with commit 266886."

> > CVE-2018-12698 (https://nvd.nist.gov/vuln/detail/CVE-2018-12698):
> >   demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU
> >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > (aka
> >   OOM) during the "Create an array for saving the template argument values"
> >   XNEWVEC call. This can occur during execution of objdump.
> 
> Problem is in libiberty.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
"Fixed with commit 266886."

> > CVE-2018-12697 (https://nvd.nist.gov/vuln/detail/CVE-2018-12697):
> >   A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was
> >   discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as
> >   distributed in GNU Binutils 2.30. This can occur during execution of
> >   objdump.
> 
> Problem is in libiberty.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
"Fixed with commit 266886."

> > CVE-2018-12641 (https://nvd.nist.gov/vuln/detail/CVE-2018-12641):
> >   An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as
> >   distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++
> >   demangling functions provided by libiberty, and there are recursive stack
> >   frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type,
> >   do_type, do_arg, demangle_args, and demangle_nested_args. This can occur
> >   during execution of nm-new.
> 
> Problem is in libiberty.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452
"Fixed with commit 266886"

> > CVE-2018-10535 (https://nvd.nist.gov/vuln/detail/CVE-2018-10535):
> >   The ignore_section_sym function in elf.c in the Binary File Descriptor
> > (BFD)
> >   library (aka libbfd), as distributed in GNU Binutils 2.30, does not
> > validate
> >   the output_section pointer in the case of a symtab entry with a "SECTION"
> >   type that has a "0" value, which allows remote attackers to cause a denial
> >   of service (NULL pointer dereference and application crash) via a crafted
> >   file, as demonstrated by objcopy.
> 
> Fixed in db0c309f4011ca94a4abc8458e27f3734dab92ac
> * Fixed in >=sys-devel/binutils-2.31
> * cherry-picked for the gentoo/binutils-2.30 branch

> > CVE-2018-10534 (https://nvd.nist.gov/vuln/detail/CVE-2018-10534):
> >   The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
> >   Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
> >   Binutils 2.30, processes a negative Data Directory size with an unbounded
> >   loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
> >   that the address exceeds its own memory region, resulting in an
> >   out-of-bounds memory write, as demonstrated by objcopy copying private info
> >   with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
> 
> Fixed in aa4a8c2a2a67545e90c877162c53cc9de42dc8b4
> * Fixed in >=sys-devel/binutils-2.31
> * cherry-picked for the gentoo/binutils-2.30 branch

> > CVE-2018-10373 (https://nvd.nist.gov/vuln/detail/CVE-2018-10373):
> >   concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library
> > (aka
> >   libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to
> >   cause a denial of service (NULL pointer dereference and application crash)
> >   via a crafted binary file, as demonstrated by nm-new.
> 
> Fixed in 6327533b1fd29fa86f6bf34e61c332c010e3c689
> * Fixed in >=sys-devel/binutils-2.31
> * cherry-picked for the gentoo/binutils-2.30 branch

> > CVE-2018-10372 (https://nvd.nist.gov/vuln/detail/CVE-2018-10372):
> >   process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
> >   to cause a denial of service (heap-based buffer over-read and application
> >   crash) via a crafted binary file, as demonstrated by readelf.
> 
> Fixed in 6aea08d9f3e3d6475a65454da488a0c51f5dc97d
> * Fixed in >=sys-devel/binutils-2.31
> * cherry-picked for the gentoo/binutils-2.30 branch

Comment 4 Yury German Gentoo Infrastructure

2019-03-27 23:23:36 UTC Comment hidden (obsolete)

CVE-2018-9138 (https://nvd.nist.gov/vuln/detail/CVE-2018-9138):
  An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
  GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling
  functions provided by libiberty, and there are recursive stack frames:
  demangle_nested_args, demangle_args, do_arg, and do_type.

Handled as Bug# 652060

Comment 5 Yury German Gentoo Infrastructure

2019-03-27 23:23:50 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 6 Andreas K. Hüttel archtester

2019-04-06 14:09:19 UTC Comment hidden (obsolete)

> > > CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
> > >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> > >   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
> > >   provided by libiberty, and there are recursive stack frames:
> > >   demangle_template_value_parm, demangle_integral_value, and
> > >   demangle_expression.
> > 
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
> > No action upstream so far.
> Dito
Dito


> > > CVE-2018-9138 (https://nvd.nist.gov/vuln/detail/CVE-2018-9138):
> > >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> > >   GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling
> > >   functions provided by libiberty, and there are recursive stack frames:
> > >   demangle_nested_args, demangle_args, do_arg, and do_type.
> > 
> > https://sourceware.org/bugzilla/show_bug.cgi?id=23008
> > No action upstream so far.
> Nick Clifton 2018-12-07 13:37:08 UTC
> Fixed by recent merge with gcc libiberty sources.
> => fixed in gentoo 2.32 branch


> > > CVE-2018-13033 (https://nvd.nist.gov/vuln/detail/CVE-2018-13033):
> > >   The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
> > > GNU
> > >   Binutils 2.30, allows remote attackers to cause a denial of service
> > >   (excessive memory allocation and application crash) via a crafted ELF file,
> > >   as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc
> > >   in libbfd.c. This can occur during execution of nm.
> > 
> > https://sourceware.org/bugzilla/show_bug.cgi?id=23361
> > "fixed with commit 95a6d235661"
> > * fixed for >=sys-devel/binutils-2.31.1
> > * cherry-picked for gentoo/binutils-2.30 branch


> > > CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
> > >   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
> > >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > > (aka
> > >   OOM). This can occur during execution of cxxfilt.
> > 
> > Problem is in libiberty.
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
> No action yet.
Dito


> > > CVE-2018-12700 (https://nvd.nist.gov/vuln/detail/CVE-2018-12700):
> > >   A Stack Exhaustion issue was discovered in debug_write_type in debug.c in
> > >   GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
> > 
> > Problem is in libiberty.
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
> "Fixed with commit 266886."
Fixed in 2.32


> > > CVE-2018-12699 (https://nvd.nist.gov/vuln/detail/CVE-2018-12699):
> > >   finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a
> > >   denial of service (heap-based buffer overflow) or possibly have unspecified
> > >   other impact, as demonstrated by an out-of-bounds write of 8 bytes. This
> > > can
> > >   occur during execution of objdump.
> > 
> > Problem is in libiberty.
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
> "Fixed with commit 266886."
Fixed in 2.32


> > > CVE-2018-12698 (https://nvd.nist.gov/vuln/detail/CVE-2018-12698):
> > >   demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU
> > >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > > (aka
> > >   OOM) during the "Create an array for saving the template argument values"
> > >   XNEWVEC call. This can occur during execution of objdump.
> > 
> > Problem is in libiberty.
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
> "Fixed with commit 266886."
Fixed in 2.32


> > > CVE-2018-12697 (https://nvd.nist.gov/vuln/detail/CVE-2018-12697):
> > >   A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was
> > >   discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as
> > >   distributed in GNU Binutils 2.30. This can occur during execution of
> > >   objdump.
> > 
> > Problem is in libiberty.
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
> "Fixed with commit 266886."
Fixed in 2.32


> > > CVE-2018-12641 (https://nvd.nist.gov/vuln/detail/CVE-2018-12641):
> > >   An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as
> > >   distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++
> > >   demangling functions provided by libiberty, and there are recursive stack
> > >   frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type,
> > >   do_type, do_arg, demangle_args, and demangle_nested_args. This can occur
> > >   during execution of nm-new.
> > 
> > Problem is in libiberty.
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452
> "Fixed with commit 266886"
Fixed in 2.32


> > > CVE-2018-10535 (https://nvd.nist.gov/vuln/detail/CVE-2018-10535):
> > >   The ignore_section_sym function in elf.c in the Binary File Descriptor
> > > (BFD)
> > >   library (aka libbfd), as distributed in GNU Binutils 2.30, does not
> > > validate
> > >   the output_section pointer in the case of a symtab entry with a "SECTION"
> > >   type that has a "0" value, which allows remote attackers to cause a denial
> > >   of service (NULL pointer dereference and application crash) via a crafted
> > >   file, as demonstrated by objcopy.
> > 
> > Fixed in db0c309f4011ca94a4abc8458e27f3734dab92ac
> > * Fixed in >=sys-devel/binutils-2.31
> > * cherry-picked for the gentoo/binutils-2.30 branch


> > > CVE-2018-10534 (https://nvd.nist.gov/vuln/detail/CVE-2018-10534):
> > >   The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
> > >   Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
> > >   Binutils 2.30, processes a negative Data Directory size with an unbounded
> > >   loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
> > >   that the address exceeds its own memory region, resulting in an
> > >   out-of-bounds memory write, as demonstrated by objcopy copying private info
> > >   with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
> > 
> > Fixed in aa4a8c2a2a67545e90c877162c53cc9de42dc8b4
> > * Fixed in >=sys-devel/binutils-2.31
> > * cherry-picked for the gentoo/binutils-2.30 branch


> > > CVE-2018-10373 (https://nvd.nist.gov/vuln/detail/CVE-2018-10373):
> > >   concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library
> > > (aka
> > >   libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to
> > >   cause a denial of service (NULL pointer dereference and application crash)
> > >   via a crafted binary file, as demonstrated by nm-new.
> > 
> > Fixed in 6327533b1fd29fa86f6bf34e61c332c010e3c689
> > * Fixed in >=sys-devel/binutils-2.31
> > * cherry-picked for the gentoo/binutils-2.30 branch


> > > CVE-2018-10372 (https://nvd.nist.gov/vuln/detail/CVE-2018-10372):
> > >   process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
> > >   to cause a denial of service (heap-based buffer over-read and application
> > >   crash) via a crafted binary file, as demonstrated by readelf.
> > 
> > Fixed in 6aea08d9f3e3d6475a65454da488a0c51f5dc97d
> > * Fixed in >=sys-devel/binutils-2.31
> > * cherry-picked for the gentoo/binutils-2.30 branch

Comment 7 Andreas K. Hüttel archtester

2019-04-06 17:22:48 UTC Comment hidden (obsolete, split-out)

Removed vulnerabilities are now in bug 682698


> > > > CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
> > > >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> > > >   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
> > > >   provided by libiberty, and there are recursive stack frames:
> > > >   demangle_template_value_parm, demangle_integral_value, and
> > > >   demangle_expression.
> > > 
> > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
> > > No action upstream so far.
> > Dito
> Dito


> > > > CVE-2018-13033 (https://nvd.nist.gov/vuln/detail/CVE-2018-13033):
> > > >   The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
> > > > GNU
> > > >   Binutils 2.30, allows remote attackers to cause a denial of service
> > > >   (excessive memory allocation and application crash) via a crafted ELF file,
> > > >   as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc
> > > >   in libbfd.c. This can occur during execution of nm.
> > > 
> > > https://sourceware.org/bugzilla/show_bug.cgi?id=23361
> > > "fixed with commit 95a6d235661"
> > > * fixed for >=sys-devel/binutils-2.31.1
> > > * cherry-picked for gentoo/binutils-2.30 branch


> > > > CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
> > > >   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
> > > >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > > > (aka
> > > >   OOM). This can occur during execution of cxxfilt.
> > > 
> > > Problem is in libiberty.
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
> > No action yet.
> Dito


> > > > CVE-2018-10535 (https://nvd.nist.gov/vuln/detail/CVE-2018-10535):
> > > >   The ignore_section_sym function in elf.c in the Binary File Descriptor
> > > > (BFD)
> > > >   library (aka libbfd), as distributed in GNU Binutils 2.30, does not
> > > > validate
> > > >   the output_section pointer in the case of a symtab entry with a "SECTION"
> > > >   type that has a "0" value, which allows remote attackers to cause a denial
> > > >   of service (NULL pointer dereference and application crash) via a crafted
> > > >   file, as demonstrated by objcopy.
> > > 
> > > Fixed in db0c309f4011ca94a4abc8458e27f3734dab92ac
> > > * Fixed in >=sys-devel/binutils-2.31
> > > * cherry-picked for the gentoo/binutils-2.30 branch


> > > > CVE-2018-10534 (https://nvd.nist.gov/vuln/detail/CVE-2018-10534):
> > > >   The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
> > > >   Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
> > > >   Binutils 2.30, processes a negative Data Directory size with an unbounded
> > > >   loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
> > > >   that the address exceeds its own memory region, resulting in an
> > > >   out-of-bounds memory write, as demonstrated by objcopy copying private info
> > > >   with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
> > > 
> > > Fixed in aa4a8c2a2a67545e90c877162c53cc9de42dc8b4
> > > * Fixed in >=sys-devel/binutils-2.31
> > > * cherry-picked for the gentoo/binutils-2.30 branch


> > > > CVE-2018-10373 (https://nvd.nist.gov/vuln/detail/CVE-2018-10373):
> > > >   concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library
> > > > (aka
> > > >   libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to
> > > >   cause a denial of service (NULL pointer dereference and application crash)
> > > >   via a crafted binary file, as demonstrated by nm-new.
> > > 
> > > Fixed in 6327533b1fd29fa86f6bf34e61c332c010e3c689
> > > * Fixed in >=sys-devel/binutils-2.31
> > > * cherry-picked for the gentoo/binutils-2.30 branch


> > > > CVE-2018-10372 (https://nvd.nist.gov/vuln/detail/CVE-2018-10372):
> > > >   process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
> > > >   to cause a denial of service (heap-based buffer over-read and application
> > > >   crash) via a crafted binary file, as demonstrated by readelf.
> > > 
> > > Fixed in 6aea08d9f3e3d6475a65454da488a0c51f5dc97d
> > > * Fixed in >=sys-devel/binutils-2.31
> > > * cherry-picked for the gentoo/binutils-2.30 branch

Comment 8 Andreas K. Hüttel archtester

2019-04-06 17:31:23 UTC

Removed vulnerabilities are now in bug 682702


> > > > > CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
> > > > >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> > > > >   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
> > > > >   provided by libiberty, and there are recursive stack frames:
> > > > >   demangle_template_value_parm, demangle_integral_value, and
> > > > >   demangle_expression.
> > > > 
> > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
> > > > No action upstream so far.
> > > Dito
> > Dito


> > > > > CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
> > > > >   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
> > > > >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > > > > (aka
> > > > >   OOM). This can occur during execution of cxxfilt.
> > > > 
> > > > Problem is in libiberty.
> > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
> > > No action yet.
> > Dito

Comment 9 Andreas K. Hüttel archtester

2019-06-29 14:32:10 UTC

> > > > > > CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
> > > > > >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> > > > > >   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
> > > > > >   provided by libiberty, and there are recursive stack frames:
> > > > > >   demangle_template_value_parm, demangle_integral_value, and
> > > > > >   demangle_expression.
> > > > > 
> > > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
> > > > > No action upstream so far.
> > > > Dito
> > > Dito
Dito


> > > > > > CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
> > > > > >   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
> > > > > >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > > > > > (aka
> > > > > >   OOM). This can occur during execution of cxxfilt.
> > > > > 
> > > > > Problem is in libiberty.
> > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
> > > > No action yet.
> > > Dito
Dito

Comment 10 Andreas K. Hüttel archtester

2020-07-31 15:03:03 UTC

No new action.

Comment 11 Andreas K. Hüttel archtester

2021-01-23 17:55:01 UTC

Nothing new upstream.

Comment 12 Andreas K. Hüttel archtester

2021-07-02 22:34:54 UTC

No news here.

Comment 13 Andreas K. Hüttel archtester

2022-02-12 21:38:20 UTC

No news.

Comment 14 Andreas K. Hüttel archtester

2022-07-10 04:00:24 UTC

No news.

Comment 15 Andreas K. Hüttel archtester

2022-11-06 22:28:37 UTC

No news.