[SECURITY] [DSA 3012-1] eglibc security update

2014-08-2705:51:23

lists.debian.org

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.012 Low

EPSS

Percentile

84.7%

JSON

Debian Security Advisory DSA-3012-1 [email protected]
http://www.debian.org/security/ Florian Weimer
August 27, 2014 http://www.debian.org/security/faq

Package : eglibc
CVE ID : CVE-2014-5119

Tavis Ormandy discovered a heap-based buffer overflow in the
transliteration module loading code in eglibc, Debian's version of the
GNU C Library. As a result, an attacker who can supply a crafted
destination character set argument to iconv-related character
conversation functions could achieve arbitrary code execution.

This update removes support of loadable gconv transliteration modules.
Besides the security vulnerability, the module loading code had
functionality defects which prevented it from working for the intended
purpose.

For the stable distribution (wheezy), this problem has been fixed in
version 2.13-38+deb7u4.

We recommend that you upgrade your eglibc packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7s390xlibc6-prof< 2.13-38+deb7u4libc6-prof_2.13-38+deb7u4_s390x.deb
Debian7kfreebsd-amd64libc0.1-dev-i386< 2.13-38+deb7u4libc0.1-dev-i386_2.13-38+deb7u4_kfreebsd-amd64.deb
Debian7alleglibc< 2.13-38+deb7u4eglibc_2.13-38+deb7u4_all.deb
Debian7i386libc6-dev< 2.13-38+deb7u4libc6-dev_2.13-38+deb7u4_i386.deb
Debian7ia64libc6.1-prof< 2.13-38+deb7u4libc6.1-prof_2.13-38+deb7u4_ia64.deb
Debian7armhflibc6-udeb< 2.13-38+deb7u4libc6-udeb_2.13-38+deb7u4_armhf.deb
Debian7powerpclibc6< 2.13-38+deb7u4libc6_2.13-38+deb7u4_powerpc.deb
Debian6i386libc6< 2.11.3-4+deb6u1libc6_2.11.3-4+deb6u1_i386.deb
Debian7s390xlocales-all< 2.13-38+deb7u4locales-all_2.13-38+deb7u4_s390x.deb
Debian7ia64nscd< 2.13-38+deb7u4nscd_2.13-38+deb7u4_ia64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	s390x	libc6-prof	< 2.13-38+deb7u4	libc6-prof_2.13-38+deb7u4_s390x.deb
Debian	7	kfreebsd-amd64	libc0.1-dev-i386	< 2.13-38+deb7u4	libc0.1-dev-i386_2.13-38+deb7u4_kfreebsd-amd64.deb
Debian	7	all	eglibc	< 2.13-38+deb7u4	eglibc_2.13-38+deb7u4_all.deb
Debian	7	i386	libc6-dev	< 2.13-38+deb7u4	libc6-dev_2.13-38+deb7u4_i386.deb
Debian	7	ia64	libc6.1-prof	< 2.13-38+deb7u4	libc6.1-prof_2.13-38+deb7u4_ia64.deb
Debian	7	armhf	libc6-udeb	< 2.13-38+deb7u4	libc6-udeb_2.13-38+deb7u4_armhf.deb
Debian	7	powerpc	libc6	< 2.13-38+deb7u4	libc6_2.13-38+deb7u4_powerpc.deb
Debian	6	i386	libc6	< 2.11.3-4+deb6u1	libc6_2.11.3-4+deb6u1_i386.deb
Debian	7	s390x	locales-all	< 2.13-38+deb7u4	locales-all_2.13-38+deb7u4_s390x.deb
Debian	7	ia64	nscd	< 2.13-38+deb7u4	nscd_2.13-38+deb7u4_ia64.deb