[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[DLA 43-1] eglibc security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package        : eglibc
Version        : 2.11.3-4+deb6u1
CVE ID         : CVE-2014-0475 CVE-2014-5119

CVE-2014-0475

 Stephane Chazelas discovered that the GNU C library, glibc, processed
 ".." path segments in locale-related environment variables, possibly
 allowing attackers to circumvent intended restrictions, such as
 ForceCommand in OpenSSH, assuming that they can supply crafted locale
 settings.

CVE-2014-5119

 Tavis Ormandy discovered a heap-based buffer overflow in the
 transliteration module loading code in eglibc, Debian's version of the
 GNU C Library.  As a result, an attacker who can supply a crafted
 destination character set argument to iconv-related character
 conversation functions could achieve arbitrary code execution.

 This update removes support of loadable gconv transliteration modules.
 Besides the security vulnerability, the module loading code had
 functionality defects which prevented it from working for the intended
 purpose.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFUBgZ/02K2KlS5mJARAq6lAJ0URl8fXxMnPAYug6hbZaAPAsQ/OgCfV1iz
vZyi9bxCvcWm3RTgnXkSECw=
=WC1a
-----END PGP SIGNATURE-----


Reply to: