Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#41713 - [glibc] CVE-2014-5119

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Wednesday, 27 August 2014, 07:42 GMT
Last edited by Allan McRae (Allan) - Wednesday, 10 September 2014, 00:30 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Hello,

glibc <= 2.19 is vulnerable to a heap-based buffer overflow in the
transliteration module loading code. As a result, an attacker
who can supply a crafted destination character set argument to
iconv-related character conversation functions could achieve arbitrary
code execution.

A fix removing the flawed code has been committed upstream [1] and applied by debian [2],
so we probably should add the same patch in Arch.

[1]: https://sourceware.org/ml/glibc-cvs/2014-q3/msg00212.html
[2]: http://anonscm.debian.org/viewvc/pkg-glibc/glibc-package/trunk/debian/patches/any/cvs-CVE-2014-5119.diff?revision=6248&view=markup

This task depends upon

Closed by  Allan McRae (Allan)
Wednesday, 10 September 2014, 00:30 GMT
Reason for closing:  Fixed
Additional comments about closing:  glibc-2.20 in [testing]
Comment by Allan McRae (Allan) - Thursday, 28 August 2014, 10:29 GMT
I am preparing a 2.19 backport upstream and will push a 2.19.1 package when that is done (provided I do not release 2.20 first)

Loading...