Hi Scott, > Thank you for looking into this Nick. I've been staring at a few of these > CVEs off-and-on for a few days, and the following CVEs all look like > duplicates: > > CVE-2018-17985: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 > CVE-2018-18484: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 > CVE-2018-18701: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675 > CVE-2018-18700: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681
Yes, essentially they are. They actually trigger stack exhaustion at different places inside libiberty, but the root cause is the same. I am also happy to say that my proposed patch fixes *all* of these PRs. > Perhaps some of these should be rejected? That would nice, but I think that if the patch is accepted then the issue should be resolved and we should stop seeing this kind of CVE. (I must admit that my motivation for creating this patch in the first place is that I am fed up with the amount of hassle that is involved each time a new CVE is created. Especially when they are essentially all the same bug). Cheers Nick
