Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 690582 (CVE-2019-1010180) - <sys-devel/gdb-9.1: out of bounds memory access in bfd library (elfcode.h) (CVE-2019-1010180)
Summary: <sys-devel/gdb-9.1: out of bounds memory access in bfd library (elfcode.h) (C...
Status: RESOLVED FIXED
Alias: CVE-2019-1010180
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-24 14:40 UTC by D'juan McDonald (domhnall)
Modified: 2020-03-29 17:50 UTC (History)
1 user (show)

See Also:
Package list:
sys-devel/gdb-9.1 dev-libs/xxhash-0.6.5
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-24 14:40:59 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2019-1010180):
GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.




Gentoo Security Padawan
(domhnall)
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 20:48:26 UTC 
This is in gdb 9.1, as per the upstream bug.

Doesn't seem that fix is in anything other than 9.1.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2020-03-02 05:19:47 UTC 
This has been added to a production version. 
https://sourceware.org/bugzilla/show_bug.cgi?id=23657#c11

Maintainers, please create an appropriate ebuild, and call for stabilization when ready.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-03 14:43:29 UTC 
We can stabilize existing sys-devel/gdb-9.1.
Comment 4 Stabilization helper bot gentoo-dev 2020-03-03 15:01:19 UTC 
An automated check of this bug failed - repoman reported dependency errors (123 lines truncated): 

> dependency.bad sys-devel/gdb/gdb-9.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['dev-libs/xxhash']
> dependency.bad sys-devel/gdb/gdb-9.1.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['dev-libs/xxhash']
> dependency.bad sys-devel/gdb/gdb-9.1.ebuild: DEPEND: arm64(default/linux/arm64/17.0) ['dev-libs/xxhash']
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-06 11:35:55 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-06 12:32:32 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-07 08:25:21 UTC 
s390 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-07 08:59:24 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-07 10:50:34 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-07 10:54:46 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-07 12:03:16 UTC 
arm stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-14 21:59:19 UTC 
ia64 stable
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:06:25 UTC 
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 19:15:03 UTC 
This issue was resolved and addressed in
 GLSA 202003-31 at https://security.gentoo.org/glsa/202003-31
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:15:36 UTC 
Re-opening for remaining architectures.
Comment 16 Rolf Eike Beer archtester 2020-03-16 17:52:16 UTC 
hppa stable
Comment 17 Mart Raudsepp gentoo-dev 2020-03-17 17:57:03 UTC 
arm64 stable with
# of unexpected failures        598
Comment 18 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:08:03 UTC 
SuperH port disbanded.
Comment 19 Larry the Git Cow gentoo-dev 2020-03-29 10:11:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d246a8e7d1e202cc441001a27b358d79cd97366

commit 3d246a8e7d1e202cc441001a27b358d79cd97366
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-03-29 10:10:58 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-03-29 10:10:58 +0000

    sys-devel/gdb: drop 8.3.1, bug #690582
    
    Bug: https://bugs.gentoo.org/690582
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 sys-devel/gdb/Manifest                     |   1 -
 sys-devel/gdb/files/gdb-8.3.1-gcc-10.patch | 222 ------------------------
 sys-devel/gdb/gdb-8.3.1-r1.ebuild          | 262 -----------------------------
 sys-devel/gdb/gdb-8.3.1.ebuild             | 260 ----------------------------
 4 files changed, 745 deletions(-)
Comment 20 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-29 10:11:40 UTC 
Let's keep ~m68k.
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-29 17:50:00 UTC 
Tree is clean, glsa done, closing.