MGASA-2014-0314

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2014-0314.html
Import Source
https://advisories.mageia.org/MGASA-2014-0314.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2014-0314
Related
Published
2014-08-05T20:08:48Z
Modified
2014-08-05T19:37:14Z
Summary
Updated glibc packages fix security issues
Details

Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with ".." components in the LC* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshdconfig), this could conceivably be used to bypass ForceCommand restrictions (or restricted shells), assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there. (CVE-2014-0475)

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where posixspawnfileactionsaddopen fails to copy the path argument (glibc bz #17048) which can, in conjunction with many common memory management techniques from an application, lead to a use after free, or other vulnerabilities. (CVE-2014-4043)

This update also fixes the following issues: x86: Disable x87 inline functions for SSE2 math (glibc bz #16510) malloc: Fix race in free() of fastbin chunk (glibc bz #15073)

References
Credits

Affected packages

Mageia:3 / glibc

Package

Name
glibc
Purl
pkg:rpm/mageia/glibc?distro=mageia-3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.17-7.3.mga3

Ecosystem specific 

{
    "section": "core"
}

Mageia:4 / glibc

Package

Name
glibc
Purl
pkg:rpm/mageia/glibc?distro=mageia-4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.18-9.2.mga4

Ecosystem specific 

{
    "section": "core"
}