Ubuntu alert USN-6842-1 (gdb)


From:
               Bruce Cable <bruce.cable@canonical.com>
To:
               ubuntu-security-announce@lists.ubuntu.com
Subject:
               [USN-6842-1] gdb vulnerabilities
Date:
               Thu, 20 Jun 2024 18:16:13 +1000
Message-ID:
               <58565df5-0817-4787-9b26-3501e19c1a99@canonical.com>
==========================================================================
Ubuntu Security Notice USN-6842-1
June 20, 2024

gdb vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

gdb could be made to crash if it opened a specially crafted file.

Software Description:
- gdb: GNU Debugger

Details:

It was discovered that gdb incorrectly handled certain memory operations
when parsing an ELF file. An attacker could possibly use this issue
to cause a denial of service. This issue is the result of an
incomplete fix for CVE-2020-16599. This issue only affected
Ubuntu 22.04 LTS. (CVE-2022-4285)

It was discovered that gdb incorrectly handled memory leading
to a heap based buffer overflow. An attacker could use this
issue to cause a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS.
(CVE-2023-1972)

It was discovered that gdb incorrectly handled memory leading
to a stack overflow. An attacker could possibly use this issue
to cause a denial of service. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-39128)

It was discovered that gdb had a use after free vulnerability
under certain circumstances. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS. (CVE-2023-39129)

It was discovered that gdb incorrectly handled memory leading to a
heap based buffer overflow. An attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. This issue
only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-39130)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
   gdb                             12.1-0ubuntu1~22.04.2
   gdbserver                       12.1-0ubuntu1~22.04.2

Ubuntu 20.04 LTS
   gdb                             9.2-0ubuntu1~20.04.2
   gdbserver                       9.2-0ubuntu1~20.04.2

Ubuntu 18.04 LTS
   gdb                             8.1.1-0ubuntu1+esm1
                                   Available with Ubuntu Pro
   gdbserver                       8.1.1-0ubuntu1+esm1
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS
   gdb                             7.11.1-0ubuntu1~16.5+esm1
                                   Available with Ubuntu Pro
   gdbserver                       7.11.1-0ubuntu1~16.5+esm1
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-6842-1
   CVE-2022-4285, CVE-2023-1972, CVE-2023-39128, CVE-2023-39129,
   CVE-2023-39130

Package Information:
   https://launchpad.net/ubuntu/+source/gdb/12.1-0ubuntu1~22...
   https://launchpad.net/ubuntu/+source/gdb/9.2-0ubuntu1~20....



Attachment: None (type=text/html)
(elided)


Attachment: OpenPGP_0xB86AEDCE8B7BA4E7.asc (type=application/pgp-keys)
-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGYvHjQBDADOi4xF8D69+cDdNMpjhdrWL3Hs7cRLXj2+aOPuMJXBw+dKUeOJ
eLHWnU+yhzQAJTVMSO/cYSzbJSkSF45dSnAIwYU9A501PWv786NEBNNe76y7B8Nm
PTQlRHdet678wzNNvIPCF/Ovll1dmRwh6OBvuSGrjhAITv3F6fDYyP2GE9lfDYyr
aMvG6HxkUZF5mAOB8N0AkVQaiIVLNOXHeKcpznw0G0uW3LtMMQWlm/VPLnaAwehK
0xHW6iK9ou5t5pWYJHoLRWbLTqUHDa9wvDaW+UGMsReVymXRJApHmS/li16TOaJN
w5xyz2NZ30f8FEstdTPo3OmZGcOSqztaqJAKn2tePDTnGXr/yj6wognQGZzXMcRi
uyyN+8j98u1pGwIVnxBQuq+lvpnC6acLvGjrp7F8g5zj6yeYGPJoR1Zp4eP7vbim
KhwK5tQxyoN0b5jP+PdGRQ3AwCBIGVSMRx58JTrPTdmfbVTswlVx+Zc4SeMY9PkO
t8PYsDZR+op2mK0AEQEAAc0nQnJ1Y2UgQ2FibGUgPGJydWNlLmNhYmxlQGNhbm9u
aWNhbC5jb20+wsEOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE
kd98mdFcnQdP7vQkuGrtzot7pOcFAmYvIIEACgkQuGrtzot7pOetwwv9F4wYw/6x
ZEAp0Vu5F8QlO1rKzEM2eI7Hle/YUEglOdEkKKgtOIrTFlGNIAovVrG/tR8iIdyb
JpEKZoD8e7Vq4wUDNMMTdmrDcetVIHJHCE6ZsFNTXuETss2oKZWPlYAWu9WKK/a3
CukscfORCuR7dVMXOSQ/B9MIt4KabfqOZo6Quh79HHLBNku4FfDlAoiBbG7jEir+
P8QgcJXG8PXjZC4TeVlY4nzGvecr/HVZuuX31GKjqvNRFgohWNYEveDy9zbdkqSf
OgpPHM5E3AAsZUNplo6iIWpxsJ8CyaO9kCNpAQko4rohmYp/VdC/PjaINZKqYT2w
RcZBhsaz8UnZ/frmPTQI8vYOMjhrJx+/t6j1U4hPc1IxeZONoe/vwPlFeR3tpJTC
Ve9uBEGDHZ4peg7wYq6soBaywPZtfhv+vdYfAjJ2W5Ve1xdWXn/Ni3t2Jj0zKOp1
EskzVYobpty3eAoW6BHL1YTin+1BRyt0fB0NoK956UNvQ0EHMm4+n2d2wsEUBBMB
CgA+FiEEkd98mdFcnQdP7vQkuGrtzot7pOcFAmYvHjQCGwMFCQPCZwAFCwkIBwIG
FQoJCAsCBBYCAwECHgECF4AACgkQuGrtzot7pOch/gv6A/IpwNg2u8tHVshl6skL
jdg+ZbN1iXjEWl/yZhPInPni0N3j+uYXO5WcbcnzHCABwl23CEXONDqK56YSFA3w
CriafqM60+8T0rhtE7V1ZDTnlscYWngW135EbPjTMV97UPAzGNJFxQABcNze3Ol3
Gfzqi8PM4dua+rBhuc7frLPGMnr6Uh0dK+48zkR7A3S4FpPodW9Lrx+3p1D4msF+
fCVqiXJAgNZ+4+4DLvw/Z0TqAfq8+p1U5ZPQghmY5t7Eb/ohqmMAHvfwt0ydqTb6
dPQFDftoS5X8k+bq3K2jcjjiXKpnfr2enUtLyC542bXWNcPd0plYYzrU4NI/jLsa
+65eMsJL+jMonB03lvbKcAmJriwsz8ptJPzOeRF+7XYYmgO7qg3FFTcxiomhPKSH
Fm+NAWzxTmHLzNQ93Y+3qSiQ0JGHs3M/68Juzl88qFhOqVUPZkd0q/fQpWWE/DU2
qDIpTJB/EOzrVjlgp9qTGJV1skGtW40nvhhpRhR/njz6zsDNBGYvHjQBDADGlkFl
ersL/tg3bhamgmyYg89KXwxILy7k74KtWQ/dufAf8M11q4y0BpzMu00nTRC0M5NH
nMSqZcvwz+iWvNDc5SiL4OwNg8YKU/3oGmCLBKDpWzXvBhLkGw8L94CLRakU358P
QCtmmPMdYVQ/HBJoxFhnzDPxe9ioPUm/sFaRHswCK/0hJ0q7LUz8w2D6gy+3SDcy
/9MaHTVRarGSVCeShz7qwAg/1dLTFosgxrb4fEKlldlbO97AM+GCpgt1Jew5e88Y
LEWP59/h6kDTQrPddUBO7hVNbly3Pxc8eL9b3iQ1wRJxBNrJ0hlGE4nBw6tVmUjc
vpngQHJ8ZmxQnVs3oVvZESFu6JPoqgNS8VhEAI6EnEOFFm5HL9uDL71fmacAWRrm
9gh1qsMByVvB6pOpeWSQPRicrgAAMcZP+COYl6uqwc2VCKL9NxahrjPjecSUHoEc
78tnVkHrOJiyUa4Xu1AJgeLuwhFnGbgF3SJ4/8/rrYoHScIS9+yKmYzHYDcAEQEA
AcLA/AQYAQoAJhYhBJHffJnRXJ0HT+70JLhq7c6Le6TnBQJmLx40AhsMBQkDwmcA
AAoJELhq7c6Le6Tn/0YL/3u59UilxpTpYCc24LevE7/2RgDHjxG+2TSPs+0G7jN5
wruyvRWOVahZ/N+XW2QLuOUimuYcRtDlAwwd/nsz8OMvVZ++NcFgKJNLUJOqe7Fn
t1oYtTUx9JX7E4j5+SZgG5ORWc4YfLx9hKRxfxZuKOjYrAjPn3f21TppQyhc/mt7
7afVn5tWGGAtV1LTf+qg8JZYLDk6/uz60QFmLga5/r5JDYsrZ9tLrlKymBL2CvJA
B80PAmY7BG0xcJPBU92rU/vj1qEBkQq6tV9dJMmf8u3j3PXVMQTvlm83INjr71lt
bzA/Wy6jHoW1xUWzDb6RKHpfLu87QJ9JMNe/A7eK3xWIwe9aDaQv1pftZ1p3DYau
4xZW0n/FI+30ZxH3W1dTuR2nodEPZIUtD2y8iZyQYie1Ru02rTnw364h/dAB2o7P
MGn/BTYQXiui5WHdgd4e8zAYTC8OSAVw5qjh42UIMltpCX5dli5blaM0lK70x2xe
24qugAHoDe4CIMOsmvXvEw==
=NMey
-----END PGP PUBLIC KEY BLOCK-----


Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEkd98mdFcnQdP7vQkuGrtzot7pOcFAmZz5U0FAwAAAAAACgkQuGrtzot7pOdI
QQv9Gk302kzq4PWJ/6W542oTpntIkVlfSTK1WrB3T5a+rrt0PjYgwu+n9QbmQaw2Yb7Sc2rd4EpS
IoEeMY+IWleUpRlmZqDRJz13srmKjc5HP86jIpvfYUr9EnNsqV+YS8x+YuJ/Kb39UvK/BDsVX7SR
g/X1OG0ZH0LWQNk2DigCl8TAJrxB4Y8iD8Wh7l54DgeSOna39neoa0bZVFbRlUpTS3JM/Z8YoLnD
GH6a6V76Vp8uIQsx9AmJv92wMC1zOGNbwaKZC0Yo+d3jezVjnjY4ZK/YP0CBQYymio6OvOUw2wxX
+7ZYMmGorvmbpCYhsBZeyvIN4TdWUrerxiey6D7ypTlhUgGlNlU0a57P3ZIA1Pjlr9FAl2nrYsHs
PxB4xcqqTdnBm0OJ+oFoeRZu6TtZD+HW2UYprDa1OPF41Erq8Zw8SqcgWZHHBMU6ZWlMwgbiqV1S
7pe8hLpuFZyNX3QdqEgM50pFRC36wp5KlwKwiQiISawrLa+wY3xDak+aG6qD
=ZRG1
-----END PGP SIGNATURE-----


Attachment: None (type=text/plain)
From:		Bruce Cable <bruce.cable@canonical.com>
To:		ubuntu-security-announce@lists.ubuntu.com
Subject:		[USN-6842-1] gdb vulnerabilities
Date:		Thu, 20 Jun 2024 18:16:13 +1000
Message-ID:		<58565df5-0817-4787-9b26-3501e19c1a99@canonical.com>