Debian Security Advisory

DLA-43-1 eglibc -- LTS security update

Date Reported:
02 Sep 2014
Affected Packages:
eglibc
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-0475, CVE-2014-5119.
More information:
  • CVE-2014-0475

    Stephane Chazelas discovered that the GNU C library, glibc, processed ".." path segments in locale-related environment variables, possibly allowing attackers to circumvent intended restrictions, such as ForceCommand in OpenSSH, assuming that they can supply crafted locale settings.

  • CVE-2014-5119

    Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution.

    This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose.

For Debian 6 Squeeze, these issues have been fixed in eglibc version 2.11.3-4+deb6u1