system/binutils: CVE-2019-9072: excessive memory allocation in setup_group
| Bugzilla ID | 108 |
| Alias(es) | CVE-2019-9072 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-24 02:55:18 -0500 |
| Modified | 2019-07-24 19:17:49 -0500 |
| Status | RESOLVED WONTFIX |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-9072 |
| See also |
https://bts.adelielinux.org/show_bug.cgi?id=116 https://bts.adelielinux.org/show_bug.cgi?id=109 |
Description
From upstream [1]:
This doesn't reproduce for me, at least not on objdump built by gcc
and without the address sanitizer (which increases memory use).
Incidentally, hitting an out of memory failure in objalloc_alloc is
not a libiberty failure and so should not be reported to the gcc
project.Also, out of memory failures triggered by user input are not that
interesting. It is perfectly reasonable for objdump to return with
"out of memory" on objects with silly sizes.
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=24232#c2
[2] https://sourceware.org/bugzilla/show_bug.cgi?id=24237#c2