FS#41713 : [glibc] CVE-2014-5119

FS#41713 - [glibc] CVE-2014-5119

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Wednesday, 27 August 2014, 07:42 GMT
Last edited by Allan McRae (Allan) - Wednesday, 10 September 2014, 00:30 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Allan McRae (Allan)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	5 Ingo Albrecht (indigo) (2014-09-02) Amitav (amitavmohanty01) (2014-09-01) Christian Hesse (eworm) (2014-08-28) Stefan Schweter (stefans) (2014-08-28) Marti (intgr) (2014-08-27)
Private	No

Details

Hello,

glibc <= 2.19 is vulnerable to a heap-based buffer overflow in the
transliteration module loading code. As a result, an attacker
who can supply a crafted destination character set argument to
iconv-related character conversation functions could achieve arbitrary
code execution.

A fix removing the flawed code has been committed upstream [1] and applied by debian [2],
so we probably should add the same patch in Arch.

[1]: https://sourceware.org/ml/glibc-cvs/2014-q3/msg00212.html
[2]: http://anonscm.debian.org/viewvc/pkg-glibc/glibc-package/trunk/debian/patches/any/cvs-CVE-2014-5119.diff?revision=6248&view=markup

This task depends upon

Closed by Allan McRae (Allan)
Wednesday, 10 September 2014, 00:30 GMT
Reason for closing: Fixed
Additional comments about closing: glibc-2.20 in [testing]

Comment by Allan McRae (Allan) - Thursday, 28 August 2014, 10:29 GMT

I am preparing a 2.19 backport upstream and will push a 2.19.1 package when that is done (provided I do not release 2.20 first)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#41713 - [glibc] CVE-2014-5119

Details

Loading...