Summary: | <sys-libs/glibc-2.20: directory traversal in LC_* locale handling (CVE-2014-0475) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/07/10/7 | ||
See Also: | https://sourceware.org/bugzilla/show_bug.cgi?id=17137 | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 544034 | ||
Bug Blocks: | 517082, 521932, 529982, 532874, 538090, 538814, 540070 |
Description
Agostino Sarubbo
![]() CVE-2014-0475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0475): Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable. From Upstream: "08 Septtember 2014 The GNU C Library version 2.20 is now available" https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html Maintainer(s): after the bump please let us know when the ebuild is ready for stabilization. fix is also in glibc-2.20-r2 now err, ignore that ... fix is in all 2.20 releases obviously (In reply to SpanKY from comment #4) > err, ignore that ... fix is in all 2.20 releases obviously Indeed, thanks for backporting the fixes for the related (now marked as blocked by this bug) Please call for stabilization when you consider that the package has gotten appropriate testing and is ready for it. This issue was resolved and addressed in GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02 by GLSA coordinator Tobias Heinlein (keytoaster). |