Summary: | <sys-libs/glibc-2.20: out-of-bounds reads (CVE-2014-6040) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=41488498b6d9440ee66ab033808cce8323bba7ac | ||
See Also: | https://sourceware.org/bugzilla/show_bug.cgi?id=17325 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 516884, 544034 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-09-02 08:14:16 UTC
http://www.openwall.com/lists/oss-security/2014/08/29/3 https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=41488498b6d9440ee66ab033808cce8323bba7ac From Upstream: "08 Septtember 2014 The GNU C Library version 2.20 is now available" https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html Maintainer(s): after the bump please let us know when the ebuild is ready for stabilization. CVE-2014-6040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6040): GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of "0xffff" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8. Setting to blocker Bug #516884 (for glibc-2.20) This issue was resolved and addressed in GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02 by GLSA coordinator Tobias Heinlein (keytoaster). |