Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 30 Jun 2016 09:44:39 -0400 (EDT)
From: cve-assign@...re.org
To: boehme.marcel@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, florian@...h-krohm.de, nickc@...hat.com, bschmidt@...hat.com
Subject: Re: CVE Request: No demangling of untrusted binaries (2)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A stackoverflow in the libiberty demangler causes its host application
> to crash on a tainted branch instruction. The problem is caused by a
> self-reference in a mangled type string that is "remembered" for later
> reference. This leads to an infinite recursion during the demangling.
> 
> * GDB exploitable classifies the stack overflow as exploitable.
> 
> * Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
> 
> * Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html
> 
> All vulnerabilities were found with a more efficient version of the AFL fuzzer, called AFLFast.

>> The patch tracks the mangled types that are currently being demangled
>> in a new variable called work->proctypevec. If a referenced type is
>> currently being demangled, the demangling is marked as not successful.

Use CVE-2016-6131.

As far as we can tell, there was only one vulnerability reported here.
We don't understand the reference to "All vulnerabilities were found
with" - this seems to imply more than one vulnerability. Also, we
don't understand the parenthesized numbers such as "No demangling of
untrusted binaries (2)" in the Subject line, and "Libiberty Demangler
segfaults (6)" and "Fix fir PR71696 in Libiberty Demangler (6)" in the
references.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXdSHOAAoJEHb/MwWLVhi2SOMP/37QfylN++UvAd0PdO/ZTc00
Vk+piwJvzeVoAv2Jp8ZwU1S4hj43LlXR9WrK0NX/lLUwId69Zao6faWGO203hDnz
4TrmvuRyVT7jT5df6NVadwOawEeEklRuI56fBnm7e09nuchLpg1314TsiyqmHo1C
Ca41bfkIj091KAKW3nKER37ALb2DG2dSfR4+9ksTaalhdDwaykKwy9eYHcbA7+Sd
76Dra1MRTGgHr+YTIrqASn+lXC/ar/+rqy81oUZK38XviK8rkK+oKY6ODz9DHmED
815kkv8iflHezxsEW5PSWP9oQ5C7wGD7bju480ziqZF/r8bjW5dwm5jeEiTd6XWj
b1R05LqhnldiaSlYT/TqaFz6Pbu3uEbTUjOqH/Sn85MHFLVKJ3ZeLOzYUamaDRN7
KcHQPNM2GW6zcJJax9UEd0qseCvmn04X9NrNNjL06RstrxGtLeFGRQjyRX83uRij
mue5U2pf27YSKeVTo3CHw/q65Xwe+a/uSOoJzGYnmkGdx2Eu/3DKLsCqxP9d5BA2
jY+MnwkvctJpBzy6kxfeSGJkZ/N7np/yzD6k/hfJrGEgTaB7qfZ8NeHX3WTjiT73
MvkAAvICRwnLRN93buvCwMDQNl4xOSCVg3eK2slpxFxaU6/dsH/W+BUN20/Gkmf6
dsWpgmbMAUIb6gmzPCR2
=De4P
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ