Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#41713 - [glibc] CVE-2014-5119

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Wednesday, 27 August 2014, 07:42 GMT
Last edited by Allan McRae (Allan) - Wednesday, 10 September 2014, 00:30 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No



glibc <= 2.19 is vulnerable to a heap-based buffer overflow in the
transliteration module loading code. As a result, an attacker
who can supply a crafted destination character set argument to
iconv-related character conversation functions could achieve arbitrary
code execution.

A fix removing the flawed code has been committed upstream [1] and applied by debian [2],
so we probably should add the same patch in Arch.


This task depends upon

Closed by  Allan McRae (Allan)
Wednesday, 10 September 2014, 00:30 GMT
Reason for closing:  Fixed
Additional comments about closing:  glibc-2.20 in [testing]
Comment by Allan McRae (Allan) - Thursday, 28 August 2014, 10:29 GMT
I am preparing a 2.19 backport upstream and will push a 2.19.1 package when that is done (provided I do not release 2.20 first)