Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620492 (CVE-2016-6131) - <sys-devel/gcc-6.4.0 denial of service (infinite loop, stack overflow, and crash) in the libiberty demangler
Summary: <sys-devel/gcc-6.4.0 denial of service (infinite loop, stack overflow, and cr...
Status: RESOLVED FIXED
Alias: CVE-2016-6131
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: 638030
Blocks:
  Show dependency tree
 
Reported: 2017-06-03 09:40 UTC by Andrey Ovcharov
Modified: 2020-05-02 02:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gcc-5.4-CVE-2016-6131.patch (gcc-5.4-CVE-2016-6131.patch,7.58 KB, patch)
2017-06-03 09:40 UTC, Andrey Ovcharov
no flags Details | Diff
gcc-6.3-CVE-2016-6131.patch (gcc-6.3-CVE-2016-6131.patch,7.76 KB, patch)
2017-06-03 09:41 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Ovcharov 2017-06-03 09:40:35 UTC
Created attachment 475106 [details, diff]
gcc-5.4-CVE-2016-6131.patch

sys-devel/gcc-{5.4.0,5.4.0-r3,6.3.0} affected CVE-2016-6131
Comment 1 Andrey Ovcharov 2017-06-03 09:41:00 UTC
Created attachment 475108 [details, diff]
gcc-6.3-CVE-2016-6131.patch
Comment 2 Jonas Stein gentoo-dev 2017-06-03 15:59:15 UTC
Thank you!
Comment 3 Andreas K. Hüttel gentoo-dev 2017-10-03 18:50:42 UTC
Somehow this ended up in the wrong place.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 19:41:16 UTC
Thanks, how is this going? Is there any vulnerable version in tree?

I suppose that summary should have a "<" at the beginning which says that we need to clean up or mask vulnerable versions.

@Maintainers could you please confirm?

Gentoo Security Padawan
ChrisADR
Comment 5 Andreas K. Hüttel gentoo-dev 2017-10-05 19:49:56 UTC
(In reply to Christopher Díaz from comment #4)
> Thanks, how is this going? Is there any vulnerable version in tree?
> 
> I suppose that summary should have a "<" at the beginning which says that we
> need to clean up or mask vulnerable versions.

Nope, these are the vulnerable versions.

We are going to stabilize 6.4.0 soon, until then we just have to wait here.

5.4.0* will be masked sometime afterwards (for different reasons), 6.3 removed. No further cleanup.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-10 17:28:30 UTC
please extend mask
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-05-02 02:40:06 UTC
mask is good.