716732 – (CVE-2020-10814) dev-util/codeblocks: Remote code execution via crafted project file (CVE-2020-10814)

Bug 716732 (CVE-2020-10814) - dev-util/codeblocks: Remote code execution via crafted project file (CVE-2020-10814)

Summary: dev-util/codeblocks: Remote code execution via crafted project file (CVE-2020...

Status:	RESOLVED INVALID

Alias:	CVE-2020-10814

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://sourceforge.net/p/codeblocks/...
Whiteboard:	B2 [upstream cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-04-08 21:08 UTC by Sam James
Modified:	2022-08-19 20:29 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-08 21:08:04 UTC

Description:
"A buffer overflow vulnerability in Code::Blocks 17.12 allows an attacker to execute arbitrary code via a crafted project file."

Comment 1 John Helmert III archtester

2022-08-11 03:07:14 UTC

Seemingly still vulnerable. At least, I was able to get a stack trace full of 0x41's after following the reproduction instructions and trying to make a debug build.

Unfortunately, upstream's closed the report as invalid and URL is dead after their domain expired. Wayback link: https://web.archive.org/web/20200818054319/https://www.povonsec.com/codeblocks-security-vulnerability/

Comment 2 John Helmert III archtester

2022-08-19 20:29:47 UTC

Actually, upon some reflection I'm inclined to agree with upstream. If an attacker can manipulate someone into loading a malicious codeblocks project, they could probably do whatever they wanted via the code in that project anyway.