Bug 1135841 (CVE-2014-6040) - CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
Summary: CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, I...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-6040
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1127381 1135842 1139571 1140474 1172044
Blocks: 1121513 1135843 1157695
TreeView+ depends on / blocked
 
Reported: 2014-09-01 02:28 UTC by Murray McAllister
Modified: 2021-02-17 06:16 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application.
Clone Of:
Environment:
Last Closed: 2015-03-06 10:34:06 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0016 0 normal SHIPPED_LIVE Moderate: glibc security and bug fix update 2015-01-07 22:17:41 UTC
Red Hat Product Errata RHSA-2015:0327 0 normal SHIPPED_LIVE Moderate: glibc security and bug fix update 2015-03-05 12:10:38 UTC
Sourceware 17325 0 None None None Never

Description Murray McAllister 2014-09-01 02:28:05 UTC
Crashes were reported in the IBM code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364):

https://sourceware.org/bugzilla/show_bug.cgi?id=17325
https://sourceware.org/ml/libc-alpha/2014-08/msg00473.html

Florian Weimer noted:

"These crashers are out-of-bounds reads at a fixed offset relative to the data segment of a DSO, and in all cases I've seen, they were right in the middle of an unmapped segment of the same DSO. This means that these bugs are just crashers, but they can still result in denial-of-service conditions."

Reference:

http://seclists.org/oss-sec/2014/q3/466

Comment 1 Murray McAllister 2014-09-01 02:28:52 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1135842]

Comment 2 Murray McAllister 2014-09-02 06:02:01 UTC
MITRE assigned CVE-2014-6040 to these issues:

http://www.openwall.com/lists/oss-security/2014/09/02/1

Comment 4 Florian Weimer 2014-09-04 18:10:51 UTC
Possible mitigation: Remove the DSOs with the affected gconv modules if they are not needed:

/usr/lib/gconv/IBM932.so
/usr/lib/gconv/IBM933.so
/usr/lib/gconv/IBM935.so
/usr/lib/gconv/IBM937.so
/usr/lib/gconv/IBM939.so
/usr/lib/gconv/IBM1364.so
/usr/lib/gconv/IBM1371.so
/usr/lib/gconv/IBM1388.so
/usr/lib/gconv/IBM1390.so
/usr/lib/gconv/IBM1399.so

/usr/lib64/gconv/IBM932.so
/usr/lib64/gconv/IBM933.so
/usr/lib64/gconv/IBM935.so
/usr/lib64/gconv/IBM937.so
/usr/lib64/gconv/IBM939.so
/usr/lib64/gconv/IBM1364.so
/usr/lib64/gconv/IBM1371.so
/usr/lib64/gconv/IBM1388.so
/usr/lib64/gconv/IBM1390.so
/usr/lib64/gconv/IBM1399.so

IBM930 is not affected (see https://bugzilla.redhat.com/show_bug.cgi?id=1135840).

Comment 7 Florian Weimer 2014-11-14 13:26:28 UTC
Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=41488498b6

Comment 8 Huzaifa S. Sidhpurwala 2014-11-27 05:19:46 UTC
Statement:

This issue affects the version of glibc package as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata

Comment 14 errata-xmlrpc 2015-01-07 17:18:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0016 https://rhn.redhat.com/errata/RHSA-2015-0016.html

Comment 15 Fedora Update System 2015-03-04 10:25:25 UTC
glibc-2.18-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2015-03-05 07:18:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0327 https://rhn.redhat.com/errata/RHSA-2015-0327.html


Note You need to log in before you can comment on or make changes to this bug.