Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513090 (CVE-2014-4043) - <sys-libs/glibc-2.19-r1: posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)
Summary: <sys-libs/glibc-2.19-r1: posix_spawn_file_actions_addopen fails to copy the p...
Status: RESOLVED FIXED
Alias: CVE-2014-4043
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa cleanup]
Keywords:
Depends on: 518364
Blocks:
  Show dependency tree
 
Reported: 2014-06-13 09:34 UTC by Agostino Sarubbo
Modified: 2015-03-08 14:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-13 09:34:09 UTC
From ${URL} :

David Reid, Glyph Lefkowitz, and myself discovered a bug in glibc (
https://sourceware.org/bugzilla/show_bug.cgi?id=17048) which can, in
conjunction with many common memory management techniques from an
application (read: we hit this issue repeatedly developing our Python
application), lead to a use after free, or other vulnerabilities.

Is it within policy to issue a CVE for glibc in a case like this?

Thanks to the Red Hat security team for assisting in triaging this and
working with the Glibc maintainers.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-13 17:25:20 UTC
Fixed in 2.20
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-15 09:15:18 UTC
Is there a way to backport to 2.17/2.18 ? Which version we need to stabilize?
Comment 4 SpanKY gentoo-dev 2014-06-15 19:18:27 UTC
i'm not planning on backporting past 2.19, nor stabilizing 2.18.  we'll most likely stabilize 2.19 next.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 20:52:16 UTC
CVE-2014-4043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4043):
  The posix_spawn_file_actions_addopen function in glibc before 2.20 does not
  copy its path argument in accordance with the POSIX specification, which
  allows context-dependent attackers to trigger use-after-free
  vulnerabilities.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-03 03:53:55 UTC
Maintainer(s), please drop the vulnerable version(s).

Added to an existing GLSA Request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:54:40 UTC
This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).