public inbox for gcc-help@gcc.gnu.org
 help / color / mirror / Atom feed
* determining impact of vulnerability CVE-2022-27943 in libiberty/rust-demangle.c
@ 2022-08-02 16:11 fus
  2022-08-02 16:33 ` Jonathan Wakely
  0 siblings, 1 reply; 2+ messages in thread
From: fus @ 2022-08-02 16:11 UTC (permalink / raw)
  To: gcc-help

The above mentioned CVE 
(https://nvd.nist.gov/vuln/detail/CVE-2022-27943) just specifies GNU GCC 
11.2 to be affected, but fails to eplicitly specify that previous 
versions are not affected. Does this CVE only affect exactly GCC version 
11.2?

And I would also like to know how I can determine whether or not I will 
be eposed to this vulnerability when using an affected version. Is the 
rust demangler used internally by any C/C++ tools or will I only be 
affected when compiling rust programs?

Regards
Frank

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: determining impact of vulnerability CVE-2022-27943 in libiberty/rust-demangle.c
  2022-08-02 16:11 determining impact of vulnerability CVE-2022-27943 in libiberty/rust-demangle.c fus
@ 2022-08-02 16:33 ` Jonathan Wakely
  0 siblings, 0 replies; 2+ messages in thread
From: Jonathan Wakely @ 2022-08-02 16:33 UTC (permalink / raw)
  To: fus; +Cc: gcc-help

On Tue, 2 Aug 2022 at 17:12, <fus@plutonium24.de> wrote:
>
> The above mentioned CVE
> (https://nvd.nist.gov/vuln/detail/CVE-2022-27943) just specifies GNU GCC
> 11.2 to be affected, but fails to eplicitly specify that previous
> versions are not affected. Does this CVE only affect exactly GCC version
> 11.2?

No, some earlier versions are affected.

>
> And I would also like to know how I can determine whether or not I will
> be eposed to this vulnerability when using an affected version. Is the
> rust demangler used internally by any C/C++ tools

No.

> or will I only be
> affected when compiling rust programs?

It isn't used when compiling rust programs. It's only used when
inspecting binaries containing rust code, e.g. using the 'nm-new'
utility. If I understand correctly, the stack overflow can only happen
with binaries containing bogus symbol names specially crafted to
exploit the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-08-02 16:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-02 16:11 determining impact of vulnerability CVE-2022-27943 in libiberty/rust-demangle.c fus
2022-08-02 16:33 ` Jonathan Wakely

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).