Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 513090 (CVE-2014-4043)

Summary: <sys-libs/glibc-2.19-r1: posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/06/11/3
Whiteboard: A3 [glsa cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 518364    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2014-06-13 09:34:09 UTC
From ${URL} :

David Reid, Glyph Lefkowitz, and myself discovered a bug in glibc (
https://sourceware.org/bugzilla/show_bug.cgi?id=17048) which can, in
conjunction with many common memory management techniques from an
application (read: we hit this issue repeatedly developing our Python
application), lead to a use after free, or other vulnerabilities.

Is it within policy to issue a CVE for glibc in a case like this?

Thanks to the Red Hat security team for assisting in triaging this and
working with the Glibc maintainers.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-06-13 17:25:20 UTC
Fixed in 2.20
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-15 09:15:18 UTC
Is there a way to backport to 2.17/2.18 ? Which version we need to stabilize?
Comment 4 SpanKY gentoo-dev 2014-06-15 19:18:27 UTC
i'm not planning on backporting past 2.19, nor stabilizing 2.18.  we'll most likely stabilize 2.19 next.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 20:52:16 UTC
CVE-2014-4043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4043):
  The posix_spawn_file_actions_addopen function in glibc before 2.20 does not
  copy its path argument in accordance with the POSIX specification, which
  allows context-dependent attackers to trigger use-after-free
  vulnerabilities.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 03:53:55 UTC
Maintainer(s), please drop the vulnerable version(s).

Added to an existing GLSA Request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:54:40 UTC
This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).