Ubuntu
gdb package

CVE-2006-4146 GDB buffer overflow in dwarf stack handling

Bug #62695 reported by Kees Cook
254
Affects Status Importance Assigned to Milestone
gdb (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

breezy, dapper, edgy are vulnerable. Patch is available from
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204845

CVE References

Revision history for this message
Kees Cook (kees) wrote :

Here is a proof-of-concept executable I created, which has a modified .debug_info section that overflows the DWARF2 reader, as outlined in the CVE.

Revision history for this message
Kees Cook (kees) wrote :

Source to proof-of-concept. After compiling, using a hexeditor, I overwrote "kapow"s location operator (hex values 0x050304980408) with 0xC2 (new length) 0x3a (push value 10), then 0xC1 more bytes of value 0x12 (DW_OP_dup, which fills the stack with prior stack value).

Revision history for this message
Kees Cook (kees) wrote :

Patch, based on the Google-recommended patch. This corrected patch allows for stacki==0, which is a valid state.

Revision history for this message
Martin Pitt (pitti) wrote :

http://www.ubuntu.com/usn/usn-356-1

Changed in gdb:
status: Unconfirmed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Uploaded edgy version with your patch as well.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.