Bug 1135841 (CVE-2014-6040)
Summary: | CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ashankar, chazlett, codonell, fweimer, hannsj_uhl, huzaifas, jakub, jrusnack, law, pfrankli, sardella, spoyarek |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-06 10:34:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1127381, 1135842, 1139571, 1140474, 1172044 | ||
Bug Blocks: | 1121513, 1135843, 1157695 |
Description
Murray McAllister
2014-09-01 02:28:05 UTC
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1135842] MITRE assigned CVE-2014-6040 to these issues: http://www.openwall.com/lists/oss-security/2014/09/02/1 Possible mitigation: Remove the DSOs with the affected gconv modules if they are not needed: /usr/lib/gconv/IBM932.so /usr/lib/gconv/IBM933.so /usr/lib/gconv/IBM935.so /usr/lib/gconv/IBM937.so /usr/lib/gconv/IBM939.so /usr/lib/gconv/IBM1364.so /usr/lib/gconv/IBM1371.so /usr/lib/gconv/IBM1388.so /usr/lib/gconv/IBM1390.so /usr/lib/gconv/IBM1399.so /usr/lib64/gconv/IBM932.so /usr/lib64/gconv/IBM933.so /usr/lib64/gconv/IBM935.so /usr/lib64/gconv/IBM937.so /usr/lib64/gconv/IBM939.so /usr/lib64/gconv/IBM1364.so /usr/lib64/gconv/IBM1371.so /usr/lib64/gconv/IBM1388.so /usr/lib64/gconv/IBM1390.so /usr/lib64/gconv/IBM1399.so IBM930 is not affected (see https://bugzilla.redhat.com/show_bug.cgi?id=1135840). Statement: This issue affects the version of glibc package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:0016 https://rhn.redhat.com/errata/RHSA-2015-0016.html glibc-2.18-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0327 https://rhn.redhat.com/errata/RHSA-2015-0327.html |