CVE-2016-4973

NameCVE-2016-4973
DescriptionBinaries compiled against targets that use the libssp library in GCC for stack smashing protection (SSP) might allow local users to perform buffer overflow attacks by leveraging lack of the Object Size Checking feature.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs848704

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gcc-4.9 (PTS)jessie, jessie (lts)4.9.2-10+deb8u2fixed
gcc-6 (PTS)stretch (security), stretch (lts), stretch6.3.0-18+deb9u1fixed
gcc-mingw-w64 (PTS)jessie14.3vulnerable
stretch19.3vulnerable
buster21.3~deb10u2vulnerable
bullseye24.2vulnerable
bookworm25.2vulnerable
sid, trixie26.6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gcc-4.9source(unstable)(not affected)
gcc-5source(unstable)(not affected)
gcc-6source(unstable)(not affected)
gcc-mingw-w64source(unstable)(unfixed)unimportant848704
mingw32source(unstable)(unfixed)

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1324759
- gcc-6 <not-affected> (Uses glibc-internal SSP)
- gcc-5 <not-affected> (Uses glibc-internal SSP)
- gcc-4.9 <not-affected> (Uses glibc-internal SSP)
[wheezy] - mingw32 <no-dsa> (Minor issue)
Missing security feature, not a direct vulnerability

Search for package or bug name: Reporting problems