This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] locale directory traversal (CVE-2014-0475, bug 17137)
- From: Allan McRae <allan at archlinux dot org>
- To: "Carlos O'Donell" <carlos at redhat dot com>, Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Thu, 10 Jul 2014 06:53:52 +1000
- Subject: Re: [PATCH] locale directory traversal (CVE-2014-0475, bug 17137)
- Authentication-results: sourceware.org; auth=none
- References: <53BD6A5A dot 2020001 at redhat dot com> <53BD95CE dot 1060307 at redhat dot com>
On 10/07/14 05:19, Carlos O'Donell wrote:
> Florian,
>
> All of these patches look good to me and should get checked in.
> To be clear, patch #1, #2, and #3 are ready to get checked in and
> should be checked in immediately to fix CVE-2014-0475.
>
> Allan,
>
> Patch #1 is an alloca hardening that prevents overly long locale
> names from blowing out the stack. This should IMO be considered a bug
> and this patch allowed in our 2.20 freeze mode.
>
> The rest of the patches fix the CVE, and should absolutely make it for
> 2.20.
>
> Your final call on patch #1 though.
>
The freeze is still slushy so go ahead and commit (I would want it
committed anyway).
Allan