Bug 203875 - (CVE-2006-4146) CVE-2006-4146 GDB buffer overflow
CVE-2006-4146 GDB buffer overflow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: gdb (Show other bugs)
3.8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Kratochvil
Jay Turner
source=vendorsec,reported=20060815,im...
: Security
: 234464 (view as bug list)
Depends On: 203873
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-24 02:21 EDT by Alexandre Oliva
Modified: 2015-01-07 19:14 EST (History)
8 users (show)

See Also:
Fixed In Version: RHSA-2007-0469
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-11 13:51:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 6 Mark J. Cox (Product Security) 2007-03-29 11:25:45 EDT
From: "Will Drewry" <drewry@google.com>
Subject: Multiple vulnerabilities in GDB
To: dan@debian.org, jimb@codesourcery.com, ezannoni@redhat.com
Cc: cve@mitre.org, vendor-sec@lst.de
Date: Tue, 15 Aug 2006 18:59:33 +0100
Reply-To: wad@google.com

Hi GDB maintainers (et. al.) -

I'm mailing to inform you that I've run across some exploitable
vulnerabilities in GDB.  I've included a simple patch along with
a proof of concept in the advisory below.


The GNU Debugger (GDB) Multiple Vulnerabilities
-----------------------------------------------

Summary
-------

Multiple vulnerabilities have been discovered in the GNU debugger that allow
for the execution of arbitrary code.


Background
----------

GDB is the GNU Project Debugger. It is described on its project page
[http://www.gnu.org/software/gdb/] as allowing "you to see what is going on
`inside' another program while it executes -- or what another program was doing
at the moment it crashed."

DWARF is a information format standard used to represent debugging information
for a specific binary. While the first version was originally used in ELF, ELF
later moved to STABS. In more recent years, DWARF version 2.0 has been
reintroduced into ELF binaries. More information can be found at
http://dwarf.freestandards.org.


Impact
------

A successful exploit would result in the execution of arbitrary code on the
loading of a specially crafted executable.

This a viable mechanism for an attacker to escape restricted environments by
piggybacking exploit code on seeming harmless files often used for debugging.
In the worst case, this could allow for privilege escalation.


Workaround
----------

Do not use GDB on untrusted files that may have DWARF(2) debugging information,
e.g.  binaries and core files. There is no way to verify if an untrusted file
is safe to debug without investigating the debugging symbols manually.


Discussion
----------

Will Drewry <wad@google.com> of the Google Security Team has found multiple
exploitable vulnerabilities in the DWARF and DWARF2 code. Initially,
Tavis Ormandy <taviso@google.com>, also of the Google Security Team,
discovered a crash condition in GDB related to DWARF2 debugging information.
This discovery led to the further exploration of the condition, and the
discovery of the security implications.

The DWARF specification allows location description blocks containing a list of
operations to be used to determine the final real address for some debugging
symbol. GDB evaluates these operations on an unchecked stack buffer of size 64.
This allows for any location block (DW_FORM_block) with more than 64 operations
to overwrite the current stack frame with arbitrary user-supplied data.  This
behavior occurs in both dwarfread.c and dwarfread2.c.
Comment 9 Red Hat Bugzilla 2007-06-11 13:51:41 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0469.html

Note You need to log in before you can comment on or make changes to this bug.