Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 392349 (CVE-2011-4355) - <sys-devel/gdb-7.5: Loads untrusted files with possible arbitrary code execution (CVE-2011-4355)
Summary: <sys-devel/gdb-7.5: Loads untrusted files with possible arbitrary code execut...
Alias: CVE-2011-4355
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on:
Reported: 2011-11-29 04:33 UTC by Michael Harrison
Modified: 2015-12-31 04:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2011-11-29 04:33:43 UTC
It was discovered [1],[2] the the GNU Debugger (gdb) would load untrusted files
from the current working directory when .debug_gdb_scripts was defined.  While
this was a design decision, it is an insecure one and users who do not
pre-inspect untrusted files may execute arbitrary code with their privileges.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-06 23:34:22 UTC
CVE-2011-4355 (
  GNU Project Debugger (GDB) before 7.5, when .debug_gdb_scripts is defined,
  automatically loads certain files from the current working directory, which
  allows local users to gain privileges via crafted files such as Python
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-28 20:15:04 UTC
According to CVE this is fixed in 7.5 That has already been stabilized

@maintainers: Please clean up vulnerable versions
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-11-23 03:04:16 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-12-12 17:35:30 UTC
Maintaner(s): Please drop affected versions, security will remove or mask in 30 days if no response.
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2015-08-28 00:02:37 UTC
Vulnerable versions have been removed.

Security, please vote.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:48:25 UTC
Vote: no.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 04:34:06 UTC
GLSA Vote: No
Thank you all. Closing as noglsa.