From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-patches-return-491274-listarch-gcc-patches=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 115868 invoked by alias); 29 Nov 2018 17:08:11 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Received: (qmail 115843 invoked by uid 89); 29 Nov 2018 17:08:11 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.2 spammy=staring, Hx-languages-length:1602, Had, HCc:U*matz
X-HELO: mail-it1-f176.google.com
Received: from mail-it1-f176.google.com (HELO mail-it1-f176.google.com) (209.85.166.176) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 29 Nov 2018 17:08:09 +0000
Received: by mail-it1-f176.google.com with SMTP id i7so4724371iti.2        for <gcc-patches@gcc.gnu.org>; Thu, 29 Nov 2018 09:08:09 -0800 (PST)
MIME-Version: 1.0
References: <87sgzkszbh.fsf@redhat.com>
In-Reply-To: <87sgzkszbh.fsf@redhat.com>
From: Scott Gayou <sgayou@redhat.com>
Date: Thu, 29 Nov 2018 17:08:00 -0000
Message-ID: <CA+2=X7vL+4BPOGhGpJNzsFTjo2vNSaJw7QTMdJLS_pMNZKX0qg@mail.gmail.com>
Subject: Re: RFA/RFC: Add stack recursion limit to libiberty's demangler
To: nickc@redhat.com
Cc: ian@airs.com, gcc-patches@gcc.gnu.org, binutils@sourceware.org, 	matz@gcc.gnu.org, jason@redhat.com
Content-Type: text/plain; charset="UTF-8"
X-SW-Source: 2018-11/txt/msg02476.txt.bz2

Thank you for looking into this Nick. I've been staring at a few of these
CVEs off-and-on for a few days, and the following CVEs all look like
duplicates:

CVE-2018-17985: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
CVE-2018-18484: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
CVE-2018-18701: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675
CVE-2018-18700: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681

There may be more. I think Mitre is scanning the gnu bugzilla and assigning
CVEs? This does look like a legitimate very low criticality "denial of
service", but generating new CVEs for every unique poc file against the
same root cause doesn't seem useful. Perhaps some of these should be
rejected?

-- 
Scott Gayou / Red Had Product Security