Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-43-1 eglibc

Debian Security Advisory

DLA-43-1 eglibc -- LTS security update

Date Reported:

02 Sep 2014

Affected Packages:

eglibc

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-0475, CVE-2014-5119.

More information:

• CVE-2014-0475

  Stephane Chazelas discovered that the GNU C library, glibc, processed ".." path segments in locale-related environment variables, possibly allowing attackers to circumvent intended restrictions, such as ForceCommand in OpenSSH, assuming that they can supply crafted locale settings.

• CVE-2014-5119

  Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution.

  This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose.

For Debian 6 Squeeze, these issues have been fixed in eglibc version 2.11.3-4+deb6u1