Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620492 (CVE-2016-6131) - <sys-devel/gcc-6.4.0 denial of service (infinite loop, stack overflow, and crash) in the libiberty demangler
Summary: <sys-devel/gcc-6.4.0 denial of service (infinite loop, stack overflow, and cr...
Status: RESOLVED FIXED
Alias: CVE-2016-6131
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: 638030
Blocks:
  Show dependency tree
 
Reported: 2017-06-03 09:40 UTC by Andrey Ovcharov
Modified: 2020-05-02 02:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
gcc-5.4-CVE-2016-6131.patch (gcc-5.4-CVE-2016-6131.patch,7.58 KB, patch)
2017-06-03 09:40 UTC, Andrey Ovcharov 		no flags Details | Diff
gcc-6.3-CVE-2016-6131.patch (gcc-6.3-CVE-2016-6131.patch,7.76 KB, patch)
2017-06-03 09:41 UTC, Andrey Ovcharov 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Ovcharov 2017-06-03 09:40:35 UTC 
Created attachment 475106 [details, diff]
gcc-5.4-CVE-2016-6131.patch

sys-devel/gcc-{5.4.0,5.4.0-r3,6.3.0} affected CVE-2016-6131
Comment 1 Andrey Ovcharov 2017-06-03 09:41:00 UTC 
Created attachment 475108 [details, diff]
gcc-6.3-CVE-2016-6131.patch
Comment 2 Jonas Stein gentoo-dev 2017-06-03 15:59:15 UTC 
Thank you!
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-10-03 18:50:42 UTC 
Somehow this ended up in the wrong place.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 19:41:16 UTC 
Thanks, how is this going? Is there any vulnerable version in tree?

I suppose that summary should have a "<" at the beginning which says that we need to clean up or mask vulnerable versions.

@Maintainers could you please confirm?

Gentoo Security Padawan
ChrisADR
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-10-05 19:49:56 UTC 
(In reply to Christopher Díaz from comment #4)
> Thanks, how is this going? Is there any vulnerable version in tree?
> 
> I suppose that summary should have a "<" at the beginning which says that we
> need to clean up or mask vulnerable versions.

Nope, these are the vulnerable versions.

We are going to stabilize 6.4.0 soon, until then we just have to wait here.

5.4.0* will be masked sometime afterwards (for different reasons), 6.3 removed. No further cleanup.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2019-08-10 17:28:30 UTC 
please extend mask
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2020-05-02 02:40:06 UTC 
mask is good.