First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 144833
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tavis Ormandy (RETIRED) <taviso@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
gdb+cvs20060822_CVE-2006-4146.patch patch patch Tavis Ormandy (RETIRED) 2006-08-23 02:03 0000 3.19 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 144833 depends on: Show dependency tree
Show dependency graph
Bug 144833 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-08-23 02:02 0000 
======================
Will Drewry <wad@google.com> of the Google Security Team has found multiple
exploitable vulnerabilities in the DWARF and DWARF2 code. Initially,
Tavis Ormandy <taviso@google.com>, also of the Google Security Team,
discovered a crash condition in GDB related to DWARF2 debugging information.
This discovery led to the further exploration of the condition, and the
discovery of the security implications.

The DWARF specification allows location description blocks containing a list of
operations to be used to determine the final real address for some debugging
symbol. GDB evaluates these operations on an unchecked stack buffer of size 64.
This allows for any location block (DW_FORM_block) with more than 64 operations
to overwrite the current stack frame with arbitrary user-supplied data.  This
behavior occurs in both dwarfread.c and dwarfread2.c.
====================

------- Comment #1 From Tavis Ormandy (RETIRED) 2006-08-23 02:03:06 0000 ------- 
Created an attachment (id=94918) [edit]
patch

------- Comment #2 From SpanKY 2006-08-23 07:49:03 0000 ------- 
i assume you will take care of pushing this upstream ?

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-09-01 04:16:17 0000 ------- 
This is now public.

------- Comment #4 From Sune Kloppenborg Jeppesen 2006-09-05 06:36:28 0000 ------- 
Toolchain any news on this one?

------- Comment #5 From SpanKY 2006-09-05 22:44:51 0000 ------- 
upstream gdb hasnt merged anything

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-09-13 23:36:36 0000 ------- 
Ok, returning to upstream status for now.

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-03-25 11:53:30 0000 ------- 
Half a year has passed, any news from upstream?

------- Comment #8 From SpanKY 2007-03-25 12:20:42 0000 ------- 
looks like it's been merged so i should cut the patch for our 6.6 ebuild

------- Comment #9 From SpanKY 2007-03-31 21:47:07 0000 ------- 
i lied ... upstream hasnt merged anything, i confused the redhat cvs commit as
an upstream sourceware commit

ive added said patch to our patchset though rather than continue waiting for
upstream to do nothing ... gdb-6.6-r2 out the door

------- Comment #10 From Matt Drew 2007-04-05 00:32:47 0000 ------- 
Thanks Mike - arches, please stabilize sys-devel/gdb-6.6-r2.

------- Comment #11 From Markus Rothe 2007-04-05 06:32:48 0000 ------- 
ppc64 stable

------- Comment #12 From Markus Meier 2007-04-05 14:46:41 0000 ------- 
sys-devel/gdb-6.6-r2  USE="nls test -vanilla"
1. emerges on x86
2. fails test suite:
                === gdb Summary ===

# of expected passes            10999
# of unexpected failures        47
# of unexpected successes       1
# of expected failures          41
# of unknown successes          9
# of known failures             65
# of unresolved testcases       2
# of untested testcases         8
# of unsupported tests          11

3. passes collision test
4. but seems to work

Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0,
2.6.19.7 i686)
=================================================================
System uname: 2.6.19.7 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 05 Apr 2007 13:00:08 +0000
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/php/apache1-php5/ext-active/
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli
cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam
ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6
isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3
mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd
python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp
spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype
truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264
x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard
mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU"
VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

------- Comment #13 From SpanKY 2007-04-05 19:08:58 0000 ------- 
test suite failure for gdb is normal

------- Comment #14 From Christian Faulhammer 2007-04-06 11:10:04 0000 ------- 
x86 stable

------- Comment #15 From Peter Weller 2007-04-06 15:58:29 0000 ------- 
amd64 stable.

------- Comment #16 From Jeroen Roovers 2007-04-06 16:20:18 0000 ------- 
Stable for HPPA.

------- Comment #17 From Raúl Porcel 2007-04-09 20:35:33 0000 ------- 
ia64 stable

------- Comment #18 From Michael Cummings (RETIRED) 2007-04-10 11:34:30 0000 ------- 
sparc done

------- Comment #19 From Jose Luis Rivero (yoswink) 2007-04-10 14:21:45 0000 ------- 
alpha ready

------- Comment #20 From Tobias Scherbaum 2007-04-11 19:42:20 0000 ------- 
ppc stable

------- Comment #21 From Raphael Marichez 2007-05-08 19:34:43 0000 ------- 
forgotten. Caling a vote.

I vote noglsa because of a hard exploitation on functions used by specialists.

------- Comment #22 From Vic Fryzel (shellsage) 2007-05-11 01:54:11 0000 ------- 
I agree with Falco, no glsa.

------- Comment #23 From Sune Kloppenborg Jeppesen 2007-05-11 07:04:40 0000 ------- 
Closing with NO GLSA.
First Last Prev Next    No search results available      Search page      Enter new bug