Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 716732 (CVE-2020-10814) - dev-util/codeblocks: Remote code execution via crafted project file (CVE-2020-10814)
Summary: dev-util/codeblocks: Remote code execution via crafted project file (CVE-2020...
Status: RESOLVED INVALID
Alias: CVE-2020-10814
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://sourceforge.net/p/codeblocks/...
Whiteboard: B2 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 21:08 UTC by Sam James
Modified: 2022-08-19 20:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-08 21:08:04 UTC
Description:
"A buffer overflow vulnerability in Code::Blocks 17.12 allows an attacker to execute arbitrary code via a crafted project file."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-11 03:07:14 UTC
Seemingly still vulnerable. At least, I was able to get a stack trace full of 0x41's after following the reproduction instructions and trying to make a debug build.

Unfortunately, upstream's closed the report as invalid and URL is dead after their domain expired. Wayback link: https://web.archive.org/web/20200818054319/https://www.povonsec.com/codeblocks-security-vulnerability/
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-19 20:29:47 UTC
Actually, upon some reflection I'm inclined to agree with upstream. If an attacker can manipulate someone into loading a malicious codeblocks project, they could probably do whatever they wanted via the code in that project anyway.