please fix CVE-2014-5119

Bug #1362409 reported by Jamie Strandboge on 2014-08-28
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Undecided
Unassigned
Lucid
High
Adam Conrad
Precise
High
Adam Conrad
Trusty
High
Adam Conrad
Utopic
Undecided
Unassigned
glibc (Ubuntu)
High
Adam Conrad
Utopic
High
Adam Conrad
Changed in eglibc (Ubuntu Utopic):
status: New → Won't Fix
no longer affects: glibc (Ubuntu Lucid)
no longer affects: glibc (Ubuntu Precise)
no longer affects: glibc (Ubuntu Trusty)
Changed in eglibc (Ubuntu):
status: New → Won't Fix
Changed in eglibc (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Adam Conrad (adconrad)
Changed in eglibc (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Adam Conrad (adconrad)
Changed in eglibc (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Adam Conrad (adconrad)
Changed in glibc (Ubuntu Utopic):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Adam Conrad (adconrad)
information type: Public → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.15-0ubuntu10.7

---------------
eglibc (2.15-0ubuntu10.7) precise; urgency=medium

  * SECURITY UPDATE: heap overflow in __gconv_translit_find() (LP: #1362409)
    - debian/patches/any/cvs-CVE-2014-5119.diff: Backport upstream commit to
      completely remove support for loadable gconv transliteration modules.
  * SECURITY REGRESSION: localplt regression introduced in 2.15-0ubuntu10.6
    - debian/patches/any/submitted-CVE-2014-0475.diff: update with a backport
      of upstream commit ca38dc17 to include memmem hidden alias declaration.
 -- Adam Conrad <email address hidden> Wed, 27 Aug 2014 22:18:52 -0600

Changed in eglibc (Ubuntu Precise):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.19-0ubuntu6.3

---------------
eglibc (2.19-0ubuntu6.3) trusty; urgency=medium

  * SECURITY UPDATE: heap overflow in __gconv_translit_find() (LP: #1362409)
    - debian/patches/any/cvs-CVE-2014-5119.diff: Backport upstream commit to
      completely remove support for loadable gconv transliteration modules.
 -- Adam Conrad <email address hidden> Wed, 27 Aug 2014 22:19:15 -0600

Changed in eglibc (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.11.1-0ubuntu7.16

---------------
eglibc (2.11.1-0ubuntu7.16) lucid; urgency=medium

  * SECURITY UPDATE: heap overflow in __gconv_translit_find() (LP: #1362409)
    - debian/patches/any/cvs-CVE-2014-5119.diff: Backport upstream commit to
      completely remove support for loadable gconv transliteration modules.
  * SECURITY REGRESSION: localplt regression introduced in 2.11.1-0ubuntu7.14
    - debian/patches/any/submitted-CVE-2014-0475.diff: update with a backport
      of upstream commit ca38dc17 to include memmem hidden alias declaration.
 -- Adam Conrad <email address hidden> Wed, 27 Aug 2014 22:08:11 -0600

Changed in eglibc (Ubuntu Lucid):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.2 KiB)

This bug was fixed in the package glibc - 2.19-10ubuntu1

---------------
glibc (2.19-10ubuntu1) utopic; urgency=medium

  * Merge with Debian unstable, bringing in several CVE fixes (LP: #1362409)
  * Enable systemtap support for Ubuntu which was dropped in Debian for now.
  * Move MIN_KERNEL_SUPPORTED to 2.6.32 on x86 now that hardy PPAs are dead.
  * libc-dev no longer Recommends 'gcc | c-compiler' (LP: #990982, #1005097)

glibc (2.19-10) unstable; urgency=medium

  [ Aurelien Jarno ]
  * debian/rules: drop the i486 to i586 GNU triplet conversion.
  * debian/control.in/main: build-depends on dpkg-dev (>= 1.17.1) and
    gcc-4.8 (>= 4.8.3-8) to make sure to get the new i586 GNU triplet on
    i386, hurd-i386 and kfreebsd-i386.
  * Remove iconv(1), iconvconfig(8), localedef(1) and sprof(1) manpages,
    provided by the manpages packages starting with version 3.71.
  * patches/any/cvs-CVE-2014-5119.diff: New patch from upstream to remove
    support for loadable gconv transliteration modules (CVE-2014-5119).

  [ Samuel Thibault ]
  * patches/hurd-i386/cvs-libpthread_guardsize.diff: Fix guard size computation.
    Fixes the creation of thousands of threads, and thus pulseaudio testsuite.
    Closes: #758671.
  * patches/hurd-i386/cvs-libpthread_std_thread.diff: New patch to deal with
    std::thread using __pthread_key_create to detect presence of libpthread.
    Fixes build of webkitgtk and most probably other libstdc++-related
    failures.
  * patches/hurd-i386/submitted-bind_umask.diff: New patch to fix bind() when
    umask is 0000, fixes clamav testsuite. Closes: #759218.

  [ Adam Conrad ]
  * debian/patches/series: Actually apply the submitted arm64 alignment and
    setcontext patches mentioned in 2.19-0experimental0 (closes: #759042)

glibc (2.19-9) unstable; urgency=medium

  [ Aurelien Jarno ]
  * debian/rules.d/control.mk: don't add libc6{,-dev}-{armel,armhf}
    packages in debian/control as we don't build them in Debian. New dak
    code checks for NEW packages directly in debian/control.

glibc (2.19-8) unstable; urgency=medium

  [ Helmut Grohne ]
  * debian/patches/build stage2 without selinux. Closes: #742640.
  * Don't emit dependencies on libgcc when building stage2. Closes: #755580.
  * Add a "nobiarch" build profile that inhibits all multilib packages from
    being built. Closes: #745380.

  [ Aurelien Jarno ]
  * debian/patches/arm64/cvs-includes-cleanup.diff: new patch from upstream to
    clean sys/user.h and sys/procfs.h. Closes: #755169.
  * debian/patches/s390/cvs-s390-abi-reversal.diff: new patch backported from
    upstream to revert the S/390 jmp_buf/ucontext_t ABI change.
  * Update Turkish debconf translation, by Mert Dirik. Closes: #757495.
  * Remove ia64 support. Closes: #756095.
  * Update debian/copyright with the libidn/punycode.{c,h} license. Closes:
    #754731.
  * debian/control/libc: drop Recommends on: gcc | c-compiler. Closes:
    #747933.

glibc (2.19-7) unstable; urgency=high

  * debian/patches/localedata/unsubmitted-tst-setlocale3-ENV.diff: Apply
    correct environment for the tst-setlocale3 test to find its locales.

glibc (2.19-6) unstable; urgency=high

  [ Aurelien Jarno ]
  * d...

Read more...

Changed in glibc (Ubuntu Utopic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers