Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-97-1 eglibc

Debian Security Advisory

DLA-97-1 eglibc -- LTS security update

Date Reported:

29 Nov 2014

Affected Packages:

eglibc

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-6656, CVE-2014-6040, CVE-2014-7817.

More information:

• CVE-2012-6656

  Fix validation check when converting from ibm930 to utf. When converting IBM930 code with iconv(), if IBM930 code which includes invalid multibyte character 0xffff is specified, then iconv() segfaults.

• CVE-2014-6040

  Crashes on invalid input in IBM gconv modules [BZ #17325] These changes are based on the fix for BZ #14134 in commit 6e230d11837f3ae7b375ea69d7905f0d18eb79e5.

• CVE-2014-7817

  The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ``))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD in exec_comm(), the only place that can execute a shell. All other checks for WRDE_NOCMD are superfluous and removed.

For Debian 6 Squeeze, these issues have been fixed in eglibc version 2.11.3-4+deb6u2