Debian Security Advisory
DLA-43-1 eglibc -- LTS security update
- Date Reported:
- 02 Sep 2014
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-0475, CVE-2014-5119.
- More information:
Stephane Chazelas discovered that the GNU C library, glibc, processed ".." path segments in locale-related environment variables, possibly allowing attackers to circumvent intended restrictions, such as ForceCommand in OpenSSH, assuming that they can supply crafted locale settings.
Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution.
This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose.
For Debian 6
Squeeze, these issues have been fixed in eglibc version 2.11.3-4+deb6u1