Bugzilla – Bug 892073
VUL-0: glibc,glibc.i686: CVE-2014-5119: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find()
Last modified: 2019-05-01 16:17:48 UTC
Tavis Ormandy reported an off-by-one error leading to a heap-based buffer overflow flaw in glibc's __gconv_translit_find() function. This could be triggered by setting the CHARSET environment variable to a malicious value. This could possibly lead to code execution as root if a set user ID (setuid) root application used this environment variable without sanitizing its value. Date: Thu, 14 Aug 2014 14:23:27 -0700 From: Tavis Ormandy <taviso@cmpxchg8b.com> FWIW, after discussion and debugging with Florian I think everyone is convinced this is exploitable on x64 and x86. Additionally, there's also a trivial root if a directory exists with certain characters restrictions. References: https://bugzilla.redhat.com/show_bug.cgi?id=1119128 https://bugzilla.redhat.com/show_bug.cgi?id=1129743 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5119 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5119.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119 https://sourceware.org/ml/libc-alpha/2014-07/msg00590.html
bugbot adjusting priority
http://googleprojectzero.blogspot.de/2014/08/the-poisoned-nul-byte-2014-edition.html exploit description for this problem
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-09-02. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58715
Affected packages: SLE-10-SP3-TERADATA: glibc SLE-10-SP4: glibc SLE-11-SP1: glibc SLE-11-SP2: glibc SLE-11-SP3: glibc
This is an autogenerated message for OBS integration: This bug (892073) was mentioned in https://build.opensuse.org/request/show/246521 Factory / glibc
Andreas, please reference the CVE-2014-5119 inside the changes files.
can you also submit openSUSE 12.3 and 13.1? and factory?
Is there an ETA for this fix?
it is currently being tested and will be released soon.
openSUSE-SU-2014:1115-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 887022,892073,894553 CVE References: CVE-2014-0475,CVE-2014-5119,CVE-2014-6040 Sources used: openSUSE 13.1 (src): glibc-2.18-4.21.1, glibc-testsuite-2.18-4.21.2, glibc-utils-2.18-4.21.1 openSUSE 12.3 (src): glibc-2.17-4.13.1, glibc-testsuite-2.17-4.13.2, glibc-utils-2.17-4.13.1
SUSE-SU-2014:1119-1: An update that solves three vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 772242,779320,818630,828235,828637,834594,892073 CVE References: CVE-2012-4412,CVE-2013-4237,CVE-2014-5119 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): glibc-2.4-31.111.1
SUSE-SU-2014:1122-1: An update that solves 7 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 750741,779320,801246,830268,834594,836746,839870,843735,864081,882600,883022,886416,892073 CVE References: CVE-2012-4412,CVE-2013-0242,CVE-2013-4237,CVE-2013-4332,CVE-2013-4788,CVE-2014-4043,CVE-2014-5119 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): glibc-2.11.1-0.58.1
SUSE-SU-2014:1125-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 888347,892065,892073 CVE References: CVE-2014-5119 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): glibc-2.11.3-17.72.14 SUSE Linux Enterprise Server 11 SP3 for VMware (src): glibc-2.11.3-17.72.14 SUSE Linux Enterprise Server 11 SP3 (src): glibc-2.11.3-17.72.14 SUSE Linux Enterprise Desktop 11 SP3 (src): glibc-2.11.3-17.72.14
SUSE-SU-2014:1128-1: An update that solves 6 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 779320,801246,824639,834594,839870,842291,860501,882600,892073,894553,894556 CVE References: CVE-2012-4412,CVE-2013-0242,CVE-2013-4237,CVE-2013-4332,CVE-2014-4043,CVE-2014-5119 Sources used: SUSE Linux Enterprise Server 10 SP3 LTSS (src): glibc-2.4-31.77.112.1
SUSE-SU-2014:1129-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 836746,844309,892073,894553,894556 CVE References: CVE-2012-6656,CVE-2013-4357,CVE-2014-5119,CVE-2014-6040 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): glibc-2.11.3-17.45.53.1
released