1135841 – (CVE-2014-6040) CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)

Bug 1135841 (CVE-2014-6040) - CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)

Summary: CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, I...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-6040
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1127381 1135842 1139571 1140474 1172044
Blocks:	1121513 1135843 1157695
TreeView+	depends on / blocked

Reported:	2014-09-01 02:28 UTC by Murray McAllister
Modified:	2021-02-17 06:16 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application.
Clone Of:
Environment:
Last Closed:	2015-03-06 10:34:06 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0016	normal	SHIPPED_LIVE	Moderate: glibc security and bug fix update	2015-01-07 22:17:41 UTC
Red Hat Product Errata	RHSA-2015:0327	normal	SHIPPED_LIVE	Moderate: glibc security and bug fix update	2015-03-05 12:10:38 UTC
Sourceware	17325	None	None	None	Never

Description Murray McAllister 2014-09-01 02:28:05 UTC

Crashes were reported in the IBM code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364):

https://sourceware.org/bugzilla/show_bug.cgi?id=17325
https://sourceware.org/ml/libc-alpha/2014-08/msg00473.html

Florian Weimer noted:

"These crashers are out-of-bounds reads at a fixed offset relative to the data segment of a DSO, and in all cases I've seen, they were right in the middle of an unmapped segment of the same DSO. This means that these bugs are just crashers, but they can still result in denial-of-service conditions."

Reference:

http://seclists.org/oss-sec/2014/q3/466

Comment 1 Murray McAllister 2014-09-01 02:28:52 UTC

Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1135842]

Comment 2 Murray McAllister 2014-09-02 06:02:01 UTC

MITRE assigned CVE-2014-6040 to these issues:

http://www.openwall.com/lists/oss-security/2014/09/02/1

Comment 4 Florian Weimer 2014-09-04 18:10:51 UTC

Possible mitigation: Remove the DSOs with the affected gconv modules if they are not needed:

/usr/lib/gconv/IBM932.so
/usr/lib/gconv/IBM933.so
/usr/lib/gconv/IBM935.so
/usr/lib/gconv/IBM937.so
/usr/lib/gconv/IBM939.so
/usr/lib/gconv/IBM1364.so
/usr/lib/gconv/IBM1371.so
/usr/lib/gconv/IBM1388.so
/usr/lib/gconv/IBM1390.so
/usr/lib/gconv/IBM1399.so

/usr/lib64/gconv/IBM932.so
/usr/lib64/gconv/IBM933.so
/usr/lib64/gconv/IBM935.so
/usr/lib64/gconv/IBM937.so
/usr/lib64/gconv/IBM939.so
/usr/lib64/gconv/IBM1364.so
/usr/lib64/gconv/IBM1371.so
/usr/lib64/gconv/IBM1388.so
/usr/lib64/gconv/IBM1390.so
/usr/lib64/gconv/IBM1399.so

IBM930 is not affected (see https://bugzilla.redhat.com/show_bug.cgi?id=1135840).

Comment 7 Florian Weimer 2014-11-14 13:26:28 UTC

Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=41488498b6

Comment 8 Huzaifa S. Sidhpurwala 2014-11-27 05:19:46 UTC

Statement:

This issue affects the version of glibc package as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata

Comment 14 errata-xmlrpc 2015-01-07 17:18:08 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0016 https://rhn.redhat.com/errata/RHSA-2015-0016.html

Comment 15 Fedora Update System 2015-03-04 10:25:25 UTC

glibc-2.18-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2015-03-05 07:18:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0327 https://rhn.redhat.com/errata/RHSA-2015-0327.html

Note You need to log in before you can comment on or make changes to this bug.