Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 661154 (CVE-2018-12934, CVE-2018-9996)

Summary: sys-devel/binutils: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: bertrand, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [upstream cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-14 16:23:59 UTC Comment hidden (obsolete)
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2018-12-04 22:55:48 UTC Comment hidden (obsolete)
Comment 2 tt_1 2019-03-04 07:44:54 UTC
I think most of the libiberty related problems where solved in gcc: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=266886

and it seems even gcc-8.3.0 needs them?
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2019-03-24 21:42:02 UTC Comment hidden (obsolete)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 23:23:36 UTC Comment hidden (obsolete)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 23:23:50 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2019-04-06 14:09:19 UTC Comment hidden (obsolete)
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2019-04-06 17:22:48 UTC Comment hidden (obsolete, split-out)
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2019-04-06 17:31:23 UTC
Removed vulnerabilities are now in bug 682702


> > > > > CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
> > > > >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> > > > >   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
> > > > >   provided by libiberty, and there are recursive stack frames:
> > > > >   demangle_template_value_parm, demangle_integral_value, and
> > > > >   demangle_expression.
> > > > 
> > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
> > > > No action upstream so far.
> > > Dito
> > Dito


> > > > > CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
> > > > >   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
> > > > >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > > > > (aka
> > > > >   OOM). This can occur during execution of cxxfilt.
> > > > 
> > > > Problem is in libiberty.
> > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
> > > No action yet.
> > Dito
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2019-06-29 14:32:10 UTC
> > > > > > CVE-2018-9996 (https://nvd.nist.gov/vuln/detail/CVE-2018-9996):
> > > > > >   An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> > > > > >   GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions
> > > > > >   provided by libiberty, and there are recursive stack frames:
> > > > > >   demangle_template_value_parm, demangle_integral_value, and
> > > > > >   demangle_expression.
> > > > > 
> > > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
> > > > > No action upstream so far.
> > > > Dito
> > > Dito
Dito


> > > > > > CVE-2018-12934 (https://nvd.nist.gov/vuln/detail/CVE-2018-12934):
> > > > > >   remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU
> > > > > >   Binutils 2.30, allows attackers to trigger excessive memory consumption
> > > > > > (aka
> > > > > >   OOM). This can occur during execution of cxxfilt.
> > > > > 
> > > > > Problem is in libiberty.
> > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
> > > > No action yet.
> > > Dito
Dito
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2020-07-31 15:03:03 UTC
No new action.
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2021-01-23 17:55:01 UTC
Nothing new upstream.
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2021-07-02 22:34:54 UTC
No news here.
Comment 13 Andreas K. Hüttel archtester gentoo-dev 2022-02-12 21:38:20 UTC
No news.
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2022-07-10 04:00:24 UTC
No news.
Comment 15 Andreas K. Hüttel archtester gentoo-dev 2022-11-06 22:28:37 UTC
No news.