CVE-2014-5119

Priority
High
Description
Off-by-one error in the __gconv_translit_find function in gconv_trans.c in
GNU C Library (aka glibc) allows context-dependent attackers to cause a
denial of service (crash) or execute arbitrary code via vectors related to
the CHARSET environment variable and gconv transliteration modules.
References
Bugs
Notes
jdstrand> per researcher (Chris Evans), a path with an even number of
characters to the gconv/ directory makes his exploit harmless. This happens
to be true on Ubuntu with multiarch on 12.04 LTS and higher on amd64 and
i386. Ubuntu 10.04 LTS and armhf on all supported releases has an odd path
length. There are likely other ways to exploit on Ubuntu.
jdstrand> eglibc on 14.10 exists but is scheduled to be removed
jdstrand> the severity was bumped from medium to high once additional research
was revealed on 2014-08-26 (marked PublicDateAtUSN accordingly). There are no
known active exploits against Ubuntu as of 2014-08-28, but they will likely
be available soon.
Assigned-to
infinity
Package
Upstream:needed
Ubuntu 10.04 LTS (Lucid Lynx):released (2.11.1-0ubuntu7.16)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.15-0ubuntu10.7)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.19-0ubuntu6.3)
Ubuntu 14.10 (Utopic Unicorn):ignored (see note)
Package
Source: glibc (LP Ubuntu Debian)
Upstream:needed
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 14.10 (Utopic Unicorn):released (2.19-10ubuntu1)
Patches:
Upstream:https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
More Information

Valid XHTML 1.0 Strict

Updated: 2014-09-03 14:14:56 UTC (commit 8447)