652060 – (CVE-2018-9138) sys-devel/binutils: Stack Exhaustion

Bug 652060 (CVE-2018-9138) - sys-devel/binutils: Stack Exhaustion

Summary: sys-devel/binutils: Stack Exhaustion

Status:	RESOLVED INVALID

Alias:	CVE-2018-9138

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://sourceware.org/bugzilla/show_...
Whiteboard:	A3 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2018-03-31 02:13 UTC by Michael Boyle
Modified:	2018-11-30 23:55 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Boyle 2018-03-31 02:13:19 UTC

CVE-2018-9138:

An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.

Comment 1 Andreas K. Hüttel archtester

2018-04-29 19:38:09 UTC

(In reply to Michael Boyle from comment #0)
> CVE-2018-9138:
> 
> An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in
> GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the the C++
> demangling functions provided by libiberty, and there are recursive stack
> frames: demangle_nested_args, demangle_args, do_arg, and do_type.

Still under debate upstream whether this is real, no fix committed

Comment 2 Andreas K. Hüttel archtester

2018-11-30 23:09:56 UTC

Upstream conclusion seems to be "working as expected"

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-11-30 23:55:05 UTC

(In reply to Andreas K. Hüttel from comment #2)
> Upstream conclusion seems to be "working as expected"

Agree.