binutils: Stack-overflow in debug_write_type in debug.c

[Pavel Mayorov <pmayorov () cloudlinux com>]

Hello!

It was observed that CVE-2018-12700 in binutils package wasn't completely fixed.
I was able to reproduce that issue by following instructions I had
described in https://sourceware.org/bugzilla/show_bug.cgi?id=28718
I assessed that this issue is only locally exploitable. Its impact is
to resource availability and
observable effects of objdump which I've tested range from fatal
signal reception to livelock (due to optimization of recursions).
The exact effect depends on compiler version and operating system.

Due to the nature of binutils which are normally used by developers
only and don't affect production environments, I've decided to
publicly report that issue.

-- 
Best regards,

Pavel Mayorov
Senior C Developer


CloudLinux.com  |  KernelCare.com  |  Imunify360  | AlmaLinux

helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
Follow twitter.com/CloudLinuxOS for technical updates