Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 521932 (CVE-2014-6040) - <sys-libs/glibc-2.20: out-of-bounds reads (CVE-2014-6040)
Summary: <sys-libs/glibc-2.20: out-of-bounds reads (CVE-2014-6040)
Status: RESOLVED FIXED
Alias: CVE-2014-6040
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/git/gitweb.cgi...
Whiteboard: A3 [glsa]
Keywords:
Depends on: CVE-2014-0475 544034
Blocks:
  Show dependency tree
 
Reported: 2014-09-02 08:14 UTC by Agostino Sarubbo
Modified: 2016-02-17 15:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-02 08:14:16 UTC
From ${URL} :

Today, Adhemerval Zanella Netto reported in additional code page 
decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364):

<https://sourceware.org/bugzilla/show_bug.cgi?id=17325>
<https://sourceware.org/ml/libc-alpha/2014-08/msg00473.html>

Upstream commit is still pending.

These crashers are out-of-bounds reads at a fixed offset relative to the 
data segment of a DSO, and in all cases I've seen, they were right in 
the middle of an unmapped segment of the same DSO.  This means that 
these bugs are just crashers, but they can still result in 
denial-of-service conditions.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-09 23:15:23 UTC
From Upstream:
"08 Septtember 2014
The GNU C Library version 2.20 is now available"
https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html

Maintainer(s): after the bump please let us know when the ebuild is ready for  stabilization.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 20:50:37 UTC
CVE-2014-6040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6040):
  GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to
  cause a denial of service (out-of-bounds read and crash) via a multibyte
  character value of "0xffff" to the iconv function when converting (1)
  IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to
  UTF-8.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-03 04:03:25 UTC
Setting to blocker Bug #516884 (for glibc-2.20)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-02-17 15:37:57 UTC
This issue was resolved and addressed in
 GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02
by GLSA coordinator Tobias Heinlein (keytoaster).