CVE-2006-4146 GDB buffer overflow in dwarf stack handling

Bug #62695 reported by Kees Cook on 2006-09-27
254
Affects Status Importance Assigned to Milestone
gdb (Ubuntu)
Undecided
Unassigned

Bug Description

breezy, dapper, edgy are vulnerable. Patch is available from
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204845

CVE References

Kees Cook (kees) wrote :

Here is a proof-of-concept executable I created, which has a modified .debug_info section that overflows the DWARF2 reader, as outlined in the CVE.

Kees Cook (kees) wrote :

Source to proof-of-concept. After compiling, using a hexeditor, I overwrote "kapow"s location operator (hex values 0x050304980408) with 0xC2 (new length) 0x3a (push value 10), then 0xC1 more bytes of value 0x12 (DW_OP_dup, which fills the stack with prior stack value).

Kees Cook (kees) wrote :

Patch, based on the Google-recommended patch. This corrected patch allows for stacki==0, which is a valid state.

Martin Pitt (pitti) wrote :
Changed in gdb:
status: Unconfirmed → Fix Released
Martin Pitt (pitti) wrote :

Uploaded edgy version with your patch as well.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers