testing eglibc for Squeeze LTS

[Thorsten Alteholz <debian@alteholz.de>]

Hi,

I uploaded version 2.11.3-4+deb6u2 of eglibc to:
 https://people.debian.org/~alteholz/packages/squeeze-lts/eglibc/amd64/

Please give it a try and tell me about any problems you met. As this is a 
main package, I would really like to get lots of feedback from different 
people!


eglibc (2.11.3-4+deb6u2) squeeze-lts; urgency=medium

  * Non-maintainer upload by the Squeeze LTS Team.
  * CVE-2012-6656:
    Fix validation check when converting from ibm930 to utf.
    When converting IBM930 code with iconv(), if IBM930 code which
    includes invalid multibyte character "0xffff" is specified, then
    iconv() segfaults.
  * CVE-2014-6040:
    Crashes on invalid input in IBM gconv modules [BZ #17325]
    These changes are based on the fix for BZ #14134 in commit
    6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
  * CVE-2014-7817:
    The function wordexp() fails to properly handle the WRDE_NOCMD
    flag when processing arithmetic inputs in the form of "$((... ``))"
    where "..." can be anything valid. The backticks in the arithmetic
    epxression are evaluated by in a shell even if WRDE_NOCMD forbade
    command substitution. This allows an attacker to attempt to pass
    dangerous commands via constructs of the above form, and bypass
    the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
    in exec_comm(), the only place that can execute a shell. All other
    checks for WRDE_NOCMD are superfluous and removed.

 -- Thorsten Alteholz <debian@alteholz.de>  Sun, 23 Nov 2014 19:03:02 +0100


Thanks!
 Thorsten