[SECURITY] Fedora 20 Update: glibc-2.18-14.fc20

updates at fedoraproject.org updates at fedoraproject.org
Thu Aug 28 15:31:23 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-9824
2014-08-28 14:38:55
--------------------------------------------------------------------------------

Name        : glibc
Product     : Fedora 20
Version     : 2.18
Release     : 14.fc20
URL         : http://www.gnu.org/software/glibc/
Summary     : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

--------------------------------------------------------------------------------
Update Information:

* Locale names, including those obtained from environment variables (LANG and the LC_* variables), are more tightly checked for proper syntax.  setlocale will now fail (with EINVAL) for locale names that are overly long, contain slashes without starting with a slash, or contain ".." path components. (CVE-2014-0475)  Previously, some valid locale names were silently replaced with the "C" locale when running in AT_SECURE mode (e.g., in a SUID program).  This is no longer necessary because of the additional checks.

* Support for loadable gconv transliteration modules has been removed because it did not work at all.  Regular gconv conversion modules are still supported.  (CVE-2014-5119)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Aug 26 2014 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.18-14
- Remove gconv transliteration loadable modules support (CVE-2014-5119,
  - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,
* Thu Feb  6 2014 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.18-13
- Add pointer mangling support for ARM (#1019452).
* Thu Jan 23 2014 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.18-12
- Use first name entry for address in /etc/hosts as the canonical name
  in getaddrinfo (#1047979).
- Fix parsing of 0e+0 as float (#1055613).
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1129743 - CVE-2014-5119 glibc: out-of-bounds NUL write in iconv_open
        https://bugzilla.redhat.com/show_bug.cgi?id=1129743
  [ 2 ] Bug #1102353 - CVE-2014-0475 glibc: directory traversal in LC_* locale handling
        https://bugzilla.redhat.com/show_bug.cgi?id=1102353
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update glibc' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list