Re: CVE Request: No Demangling During Analysis of Untrusted Binaries

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 1) Exploitable Buffer Overflow (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

As far as we can tell, you sent a CVE request for this vulnerability
to cve-assign () mitre org (from a different email address of yours) on
2016-02-05, and we replied with a CVE ID on 2016-02-06. Is there an
additional aspect of 69687 that you are reporting now?

Our reply at that time was:

  > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

  >> Since n is a signed int, n wraps over at some iteration. Since,
  >> realloc expects n to be unsigned, we end up allocating less memory
  >> then actually needed. In the beginning though n is too large and
  >> xrealloc simply complains. However, if you play a bit with the length
  >> of arg, you'll quickly turn that integer overflow in a buffer
  >> overflow.

  Use CVE-2016-2226 for this incorrect handling of a signed int.


> 2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

Comment 2 says "two distinct bugs."

Use CVE-2016-4487 for the btypevec bug.

Use CVE-2016-4488 for the ktypevec bug.


> 3) Invalid Write due to Integer Overflow (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492

Use CVE-2016-4489.


> 4) Write Access Violation (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498

Use CVE-2016-4490 for this issue described as "Root cause: In
cp-demangle.c sometimes length-variables are of type long ... Other
times they are of type int."

Note that this CVE ID is not about the Comment 1 "case where
consume_count returns -1" -- that comment does not belong in 70498 at
all.


> 5) Various Stack Corruptions (Patch under Review)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909
> https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00105

Use CVE-2016-4491 for this issue caused by a lack of checking for "has
itself as ancestor more than once."


> 6) Write Access Violation (Patch under Review)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926
> https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00223

Use CVE-2016-4492 for both of the "first read the value of a length
variable len from the mangled string, then strncpy len characters from
the mangled string; more than necessary" issues.

Use CVE-2016-4493 for both of the "read the value of an array index n
from the mangled string, which can be negative due to an overflow"
issues.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXKtL3AAoJEHb/MwWLVhi2+5gP/3qHIH8ngHS85trkFRrAiLtn
5nNVzyil6xjQCo7F7ScLfYQK0AfKGhBhQzO16dAI2hHMIRc8AaXH4cinRHHHQrYM
hrwj5SoZoXMgrUZLZJ2v1H0oidBwMFUqprnC1NEgqNMoRw6DM0NZTsy4opgKCl1R
dbSfqBybZr+qscnn4wAaN2ctOS0A2/PlSIxDJ5LRPEJyb+fLNVVnbj5LIybjD/To
uPpQPkGKekK3oD52huRlb5hLy9qq3eVzoyu0Lup34ec0iRnLQjqwmYm8dZvbhPnt
QMgZPe0iyRaQAtpE5nj7eZDhFuQ9vqS1KikzuinZRUkLcIGroGmnUtGdCCDUHzL1
s12c6fpGkU2Huuz9mgVrdtOKdcSyFnvEl14xMCQLBhf8LVNKQ9RkVaHPUWLt+0uw
/BtwNCs6NSAGtfi0yuX4F76u3SGKTnell7Za9BJQKXZFeDtwTUc9N01eWGpovB1l
um6HQ75vca6+kxlX6ZZn9Zm7Dr1CNtcCLfKka9MtxmfkaucV5vOjlqURA58jrpdS
NJU5TgRr2WcFqI/3gfOzQFkz1R1voZMgQJEKNIRtLC04nLWxXwoRAGQ9oJK34y0Z
BVoWD9jDc3lEXx+X5MOmUZy4+RQQl0qizLquLxqTXbRUBpgsFP0Mw/w7dWCkghCA
kazRhIrShTety5Dx7/qO
=Qvdr
-----END PGP SIGNATURE-----