[security-announce] eglibc: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri Feb 20 14:47:06 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory	

=========================================================
Product/package: eglibc
Severity: Moderate
Issue date: 2015-02-19
CVE Names:  CVE-2014-7817
Layer: meta
=========================================================

A security patch that fixes a vulnerability in eglibc wordexp()
function is now available at http://linux.enea.com/4.0/patches:

README file: 0042-eglibc-CVE-2014-7817.README
Patch file:  0042-eglibc-CVE-2014-7817.patch

Description
===========
The wordexp function in GNU C Library (aka glibc/eglibc) 2.21 does not
enforce the WRDE_NOCMD flag, which allows context-dependent attackers
to execute arbitrary commands, as demonstrated by input containing
"$((`...`))".

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817
https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
wget http://linux.enea.com/4.0/patches/0042-eglibc-CVE-2014-7817.patch
patch -p1 < ./0042-eglibc-CVE-2014-7817.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU5zraAAoJEHc+9u9ocWoUmgMP/iB6Rur4fqbKMSqEjBTopIGe
ItEPctAqGnjwQfawGogaeONqNziGtEw1gsSOwwosgb1Gr+/xZhcsFeSXduwRfG2Q
t5F+IANEbA4ak/z0s8fNYNJ71TBqIz/PCweLpv8KAb85RRUPQM/+fqTCStRw/h3L
ZiQ9FjJ9lXTzS3K033eagnTEFYo2SYB1iVKZrwpy7UIQQR5GZyOTejLIPpdX980R
kOVWRppITSwxEmxILoSYGsls1DOUQtTrVg6C3gs3fcBUvAs7mb3+ji++BfVTm9r+
mYPXG6tNjba9UrAk1tiWkRFG33y7JRpNf18ateIJMcOY2xXrVPTeCh/TskginKf0
LlMpddMhLn0ItTdgKIysemYofMELzSVaCpxYDVPXUYO1uEa8JOL0+M+3muztENXx
rxylHYdWnyZX4fqi2pPF8gOSJntYorTCHzgE22rnsb2gDMDwS6bl2mJy+onphL1f
+3dqeNysyFz7Afk+6TFkLNg3U6RxPNnlRum1yazpQe/MUIQcHc9XSiD5i7ZwAPNn
41JiaJLfU/X44q6YS/5B+tao02YcNNhwagISYdjoiguYAlSv/WpcSf9D+IN3nOM5
mVCcwPdl5c1Y3o55yBaS2sJOzJ0KDvrokevqfQv1GJJRPw0H9VVc4EjbeXHbGtpC
i80fL5Hx2keRmuP1Y5iB
=s42N
-----END PGP SIGNATURE-----



More information about the security-announce mailing list