144833 2006-08-23 02:02 0000 sys-devel/gdb: dwarf2 stack overflow (CVE-2006-4146) 2007-06-24 23:31:36 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204841 A? [noglsa] jaervosz P2 normal --- 1 taviso@gentoo.org security@gentoo.org mips@gentoo.org toolchain@gentoo.org taviso@gentoo.org 2006-08-23 02:02:33 0000 ====================== Will Drewry <wad@google.com> of the Google Security Team has found multiple exploitable vulnerabilities in the DWARF and DWARF2 code. Initially, Tavis Ormandy <taviso@google.com>, also of the Google Security Team, discovered a crash condition in GDB related to DWARF2 debugging information. This discovery led to the further exploration of the condition, and the discovery of the security implications. The DWARF specification allows location description blocks containing a list of operations to be used to determine the final real address for some debugging symbol. GDB evaluates these operations on an unchecked stack buffer of size 64. This allows for any location block (DW_FORM_block) with more than 64 operations to overwrite the current stack frame with arbitrary user-supplied data. This behavior occurs in both dwarfread.c and dwarfread2.c. ==================== taviso@gentoo.org 2006-08-23 02:03:06 0000 Created an attachment (id=94918) patch vapier@gentoo.org 2006-08-23 07:49:03 0000 i assume you will take care of pushing this upstream ? jaervosz@gentoo.org 2006-09-01 04:16:17 0000 This is now public. jaervosz@gentoo.org 2006-09-05 06:36:28 0000 Toolchain any news on this one? vapier@gentoo.org 2006-09-05 22:44:51 0000 upstream gdb hasnt merged anything jaervosz@gentoo.org 2006-09-13 23:36:36 0000 Ok, returning to upstream status for now. jaervosz@gentoo.org 2007-03-25 11:53:30 0000 Half a year has passed, any news from upstream? vapier@gentoo.org 2007-03-25 12:20:42 0000 looks like it's been merged so i should cut the patch for our 6.6 ebuild vapier@gentoo.org 2007-03-31 21:47:07 0000 i lied ... upstream hasnt merged anything, i confused the redhat cvs commit as an upstream sourceware commit ive added said patch to our patchset though rather than continue waiting for upstream to do nothing ... gdb-6.6-r2 out the door aetius@gentoo.org 2007-04-05 00:32:47 0000 Thanks Mike - arches, please stabilize sys-devel/gdb-6.6-r2. corsair@gentoo.org 2007-04-05 06:32:48 0000 ppc64 stable maekke@gentoo.org 2007-04-05 14:46:41 0000 sys-devel/gdb-6.6-r2 USE="nls test -vanilla" 1. emerges on x86 2. fails test suite: === gdb Summary === # of expected passes 10999 # of unexpected failures 47 # of unexpected successes 1 # of expected failures 41 # of unknown successes 9 # of known failures 65 # of unresolved testcases 2 # of untested testcases 8 # of unsupported tests 11 3. passes collision test 4. but seems to work Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.7 i686) ================================================================= System uname: 2.6.19.7 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Thu, 05 Apr 2007 13:00:08 +0000 dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY vapier@gentoo.org 2007-04-05 19:08:58 0000 test suite failure for gdb is normal fauli@gentoo.org 2007-04-06 11:10:04 0000 x86 stable welp@gentoo.org 2007-04-06 15:58:29 0000 amd64 stable. jer@gentoo.org 2007-04-06 16:20:18 0000 Stable for HPPA. armin76@gentoo.org 2007-04-09 20:35:33 0000 ia64 stable mcummings@gentoo.org 2007-04-10 11:34:30 0000 sparc done yoswink@gentoo.org 2007-04-10 14:21:45 0000 alpha ready dertobi123@gentoo.org 2007-04-11 19:42:20 0000 ppc stable falco@gentoo.org 2007-05-08 19:34:43 0000 forgotten. Caling a vote. I vote noglsa because of a hard exploitation on functions used by specialists. shellsage@gentoo.org 2007-05-11 01:54:11 0000 I agree with Falco, no glsa. jaervosz@gentoo.org 2007-05-11 07:04:40 0000 Closing with NO GLSA. 94918 2006-08-23 02:03 0000 patch gdb+cvs20060822_CVE-2006-4146.patch text/plain ZGlmZiAtTmF1cnAgc3JjLm9yaWcvZ2RiL0NoYW5nZUxvZyBzcmMvZ2RiL0NoYW5nZUxvZwotLS0g c3JjLm9yaWcvZ2RiL0NoYW5nZUxvZwkyMDA2LTA4LTIyIDA5OjQzOjM4LjAwMDAwMDAwMCArMDEw MAorKysgc3JjL2dkYi9DaGFuZ2VMb2cJMjAwNi0wOC0yMiAxMTozMDo0Ny4wMDAwMDAwMDAgKzAx MDAKQEAgLTEsMyArMSwxMCBAQAorMjAwNi0wOC0yMiAgV2lsbCBEcmV3cnkgPHdhZEBnb29nbGUu Y29tPgorCSAgICBUYXZpcyBPcm1hbmR5IDx0YXZpc29AZ29vZ2xlLmNvbT4KKworCSogZHdhcmYy cmVhZC5jIChkZWNvZGVfbG9jZGVzYyk6IEVuZm9yY2UgbG9jYXRpb24gZGVzY3JpcHRpb24gc3Rh Y2sKKwlib3VuZGFyaWVzLgorCSogZHdhcmZyZWFkLmMgKGxvY3ZhbCk6IExpa2V3aXNlLgorCiAy MDA2LTA4LTE5ICBEYW5pZWwgSmFjb2Jvd2l0eiAgPGRhbkBjb2Rlc291cmNlcnkuY29tPgogCiAJ KiBNYWtlZmlsZS5pbiAoYW1kNjRfbGludXhfdGRlcF9oKTogTmV3LgpkaWZmIC1OYXVycCBzcmMu b3JpZy9nZGIvZHdhcmYycmVhZC5jIHNyYy9nZGIvZHdhcmYycmVhZC5jCi0tLSBzcmMub3JpZy9n ZGIvZHdhcmYycmVhZC5jCTIwMDYtMDgtMjIgMDk6NDM6MzguMDAwMDAwMDAwICswMTAwCisrKyBz cmMvZ2RiL2R3YXJmMnJlYWQuYwkyMDA2LTA4LTIyIDExOjMxOjU0LjAwMDAwMDAwMCArMDEwMApA QCAtODc1NCw4ICs4NzU0LDcgQEAgZHdhcmYyX2Z1bmRhbWVudGFsX3R5cGUgKHN0cnVjdCBvYmpm aWxlIAogICAgY2FsbGVycyB3aWxsIG9ubHkgd2FudCBhIHZlcnkgYmFzaWMgcmVzdWx0IGFuZCB0 aGlzIGNhbiBiZWNvbWUgYQogICAgY29tcGxhaW50LgogCi0gICBOb3RlIHRoYXQgc3RhY2tbMF0g aXMgdW51c2VkIGV4Y2VwdCBhcyBhIGRlZmF1bHQgZXJyb3IgcmV0dXJuLgotICAgTm90ZSB0aGF0 IHN0YWNrIG92ZXJmbG93IGlzIG5vdCB5ZXQgaGFuZGxlZC4gICovCisgICBOb3RlIHRoYXQgc3Rh Y2tbMF0gaXMgdW51c2VkIGV4Y2VwdCBhcyBhIGRlZmF1bHQgZXJyb3IgcmV0dXJuLiAqLwogCiBz dGF0aWMgQ09SRV9BRERSCiBkZWNvZGVfbG9jZGVzYyAoc3RydWN0IGR3YXJmX2Jsb2NrICpibGss IHN0cnVjdCBkd2FyZjJfY3UgKmN1KQpAQCAtODc3Miw3ICs4NzcxLDcgQEAgZGVjb2RlX2xvY2Rl c2MgKHN0cnVjdCBkd2FyZl9ibG9jayAqYmxrLAogCiAgIGkgPSAwOwogICBzdGFja2kgPSAwOwot ICBzdGFja1tzdGFja2ldID0gMDsKKyAgc3RhY2tbKytzdGFja2ldID0gMDsKIAogICB3aGlsZSAo aSA8IHNpemUpCiAgICAgewpAQCAtODk1MSw2ICs4OTUwLDE2IEBAIGRlY29kZV9sb2NkZXNjIChz dHJ1Y3QgZHdhcmZfYmxvY2sgKmJsaywKIAkJICAgICBkd2FyZl9zdGFja19vcF9uYW1lIChvcCkp OwogCSAgcmV0dXJuIChzdGFja1tzdGFja2ldKTsKIAl9CisgICAgICAvKiBFbmZvcmNlIG1heGlt dW0gc3RhY2sgZGVwdGggb2Ygc2l6ZS0xIHRvIGF2b2lkICsrc3RhY2tpIHdyaXRpbmcKKyAgICAg ICAgIG91dHNpZGUgb2YgdGhlIGFsbG9jYXRlZCBzcGFjZS4gQWxzbyBlbmZvcmNlIG1pbmltdW0g PiAwLgorICAgICAgICAgLS0gd2FkQGdvb2dsZS5jb20gMTQgQXVnIDIwMDYgKi8KKyAgICAgIGlm IChzdGFja2kgPj0gc2l6ZW9mIChzdGFjaykgLyBzaXplb2YgKCpzdGFjaykgLSAxKQorCWludGVy bmFsX2Vycm9yIChfX0ZJTEVfXywgX19MSU5FX18sCisJICAgICAgICAgICAgICAgIF8oImxvY2F0 aW9uIGRlc2NyaXB0aW9uIHN0YWNrIHRvbyBkZWVwOiAlZCIpLAorCSAgICAgICAgICAgICAgICBz dGFja2kpOworICAgICAgaWYgKHN0YWNraSA8PSAwKQorCWludGVybmFsX2Vycm9yIChfX0ZJTEVf XywgX19MSU5FX18sCisJICAgICAgICAgICAgICAgIF8oImxvY2F0aW9uIGRlc2NyaXB0aW9uIHN0 YWNrIHRvbyBzaGFsbG93IikpOwogICAgIH0KICAgcmV0dXJuIChzdGFja1tzdGFja2ldKTsKIH0K ZGlmZiAtTmF1cnAgc3JjLm9yaWcvZ2RiL2R3YXJmcmVhZC5jIHNyYy9nZGIvZHdhcmZyZWFkLmMK LS0tIHNyYy5vcmlnL2dkYi9kd2FyZnJlYWQuYwkyMDA1LTEyLTE3IDIyOjMzOjU5LjAwMDAwMDAw MCArMDAwMAorKysgc3JjL2dkYi9kd2FyZnJlYWQuYwkyMDA2LTA4LTIyIDExOjMxOjU1LjAwMDAw MDAwMCArMDEwMApAQCAtMjEzOCw5ICsyMTM4LDcgQEAgZGVjb2RlX2xpbmVfbnVtYmVycyAoY2hh ciAqbGluZXRhYmxlKQogCiAgICBOT1RFUwogCi0gICBOb3RlIHRoYXQgc3RhY2tbMF0gaXMgdW51 c2VkIGV4Y2VwdCBhcyBhIGRlZmF1bHQgZXJyb3IgcmV0dXJuLgotICAgTm90ZSB0aGF0IHN0YWNr IG92ZXJmbG93IGlzIG5vdCB5ZXQgaGFuZGxlZC4KLSAqLworICAgTm90ZSB0aGF0IHN0YWNrWzBd IGlzIHVudXNlZCBleGNlcHQgYXMgYSBkZWZhdWx0IGVycm9yIHJldHVybi4gKi8KIAogc3RhdGlj IGludAogbG9jdmFsIChzdHJ1Y3QgZGllaW5mbyAqZGlwKQpAQCAtMjE2MCw3ICsyMTU4LDcgQEAg bG9jdmFsIChzdHJ1Y3QgZGllaW5mbyAqZGlwKQogICBsb2MgKz0gbmJ5dGVzOwogICBlbmQgPSBs b2MgKyBsb2NzaXplOwogICBzdGFja2kgPSAwOwotICBzdGFja1tzdGFja2ldID0gMDsKKyAgc3Rh Y2tbKytzdGFja2ldID0gMDsKICAgZGlwLT5pc3JlZyA9IDA7CiAgIGRpcC0+b2ZmcmVnID0gMDsK ICAgZGlwLT5vcHRpbWl6ZWRfb3V0ID0gMTsKQEAgLTIyMjQsNiArMjIyMiwxNiBAQCBsb2N2YWwg KHN0cnVjdCBkaWVpbmZvICpkaXApCiAJICBzdGFja2ktLTsKIAkgIGJyZWFrOwogCX0KKyAgICAg IC8qIEVuZm9yY2UgbWF4aW11bSBzdGFjayBkZXB0aCBvZiBzaXplLTEgdG8gYXZvaWQgKytzdGFj a2kgd3JpdGluZworICAgICAgICAgb3V0c2lkZSBvZiB0aGUgYWxsb2NhdGVkIHNwYWNlLiBBbHNv IGVuZm9yY2UgbWluaW11bSA+IDAuCisgICAgICAgICAtLSB3YWRAZ29vZ2xlLmNvbSAxNCBBdWcg MjAwNiAqLworICAgICAgaWYgKHN0YWNraSA+PSBzaXplb2YgKHN0YWNrKSAvIHNpemVvZiAoKnN0 YWNrKSAtIDEpCisJaW50ZXJuYWxfZXJyb3IgKF9fRklMRV9fLCBfX0xJTkVfXywKKwkgICAgICAg ICAgICAgICAgXygibG9jYXRpb24gZGVzY3JpcHRpb24gc3RhY2sgdG9vIGRlZXA6ICVkIiksCisJ ICAgICAgICAgICAgICAgIHN0YWNraSk7CisgICAgICBpZiAoc3RhY2tpIDw9IDApCisJaW50ZXJu YWxfZXJyb3IgKF9fRklMRV9fLCBfX0xJTkVfXywKKwkgICAgICAgICAgICAgICAgXygibG9jYXRp b24gZGVzY3JpcHRpb24gc3RhY2sgdG9vIHNoYWxsb3ciKSk7CiAgICAgfQogICByZXR1cm4gKHN0 YWNrW3N0YWNraV0pOwogfQo=