DescriptionBinaries compiled against targets that use the libssp library in GCC for stack smashing protection (SSP) might allow local users to perform buffer overflow attacks by leveraging lack of the Object Size Checking feature.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs848704

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gcc-mingw-w64 (PTS)buster21.3~deb10u2vulnerable
bookworm, sid25.2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gcc-4.9source(unstable)(not affected)
gcc-5source(unstable)(not affected)
gcc-6source(unstable)(not affected)

- gcc-6 <not-affected> (Uses glibc-internal SSP)
- gcc-5 <not-affected> (Uses glibc-internal SSP)
- gcc-4.9 <not-affected> (Uses glibc-internal SSP)
[wheezy] - mingw32 <no-dsa> (Minor issue)
Missing security feature, not a direct vulnerability

Search for package or bug name: Reporting problems