Moving vulnerabilities here from bug 661154 which have been fixed in 2.32 > > > > CVE-2018-9138 (https://nvd.nist.gov/vuln/detail/CVE-2018-9138): > > > > An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in > > > > GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling > > > > functions provided by libiberty, and there are recursive stack frames: > > > > demangle_nested_args, demangle_args, do_arg, and do_type. > > > > > > https://sourceware.org/bugzilla/show_bug.cgi?id=23008 > > > No action upstream so far. > > Nick Clifton 2018-12-07 13:37:08 UTC > > Fixed by recent merge with gcc libiberty sources. > > => fixed in gentoo 2.32 branch > > > > CVE-2018-12700 (https://nvd.nist.gov/vuln/detail/CVE-2018-12700): > > > > A Stack Exhaustion issue was discovered in debug_write_type in debug.c in > > > > GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion. > > > > > > Problem is in libiberty. > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 > > "Fixed with commit 266886." > Fixed in 2.32 > > > > CVE-2018-12699 (https://nvd.nist.gov/vuln/detail/CVE-2018-12699): > > > > finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a > > > > denial of service (heap-based buffer overflow) or possibly have unspecified > > > > other impact, as demonstrated by an out-of-bounds write of 8 bytes. This > > > > can > > > > occur during execution of objdump. > > > > > > Problem is in libiberty. > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 > > "Fixed with commit 266886." > Fixed in 2.32 > > > > CVE-2018-12698 (https://nvd.nist.gov/vuln/detail/CVE-2018-12698): > > > > demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU > > > > Binutils 2.30, allows attackers to trigger excessive memory consumption > > > > (aka > > > > OOM) during the "Create an array for saving the template argument values" > > > > XNEWVEC call. This can occur during execution of objdump. > > > > > > Problem is in libiberty. > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 > > "Fixed with commit 266886." > Fixed in 2.32 > > > > CVE-2018-12697 (https://nvd.nist.gov/vuln/detail/CVE-2018-12697): > > > > A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was > > > > discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as > > > > distributed in GNU Binutils 2.30. This can occur during execution of > > > > objdump. > > > > > > Problem is in libiberty. > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 > > "Fixed with commit 266886." > Fixed in 2.32 > > > > CVE-2018-12641 (https://nvd.nist.gov/vuln/detail/CVE-2018-12641): > > > > An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as > > > > distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ > > > > demangling functions provided by libiberty, and there are recursive stack > > > > frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, > > > > do_type, do_arg, demangle_args, and demangle_nested_args. This can occur > > > > during execution of nm-new. > > > > > > Problem is in libiberty. > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452 > > "Fixed with commit 266886" > Fixed in 2.32
This issue was resolved and addressed in GLSA 201908-01 at https://security.gentoo.org/glsa/201908-01 by GLSA coordinator Aaron Bauman (b-man).
@toolchain, please expand mask/cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee7f5d78dba6382df116603c3a64b53bf97f885e commit ee7f5d78dba6382df116603c3a64b53bf97f885e Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-08-09 20:54:32 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-08-09 20:54:32 +0000 package.mask: extend binutils mask to newer versions, bug 682698 Bug: https://bugs.gentoo.org/682698 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> profiles/package.mask | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
All affected versions masked, no cleanup. Please proceed.