[PATCH] locale directory traversal (CVE-2014-0475, bug 17137)
Allan McRae
allan@archlinux.org
Wed Jul 9 20:54:00 GMT 2014
On 10/07/14 05:19, Carlos O'Donell wrote:
> Florian,
>
> All of these patches look good to me and should get checked in.
> To be clear, patch #1, #2, and #3 are ready to get checked in and
> should be checked in immediately to fix CVE-2014-0475.
>
> Allan,
>
> Patch #1 is an alloca hardening that prevents overly long locale
> names from blowing out the stack. This should IMO be considered a bug
> and this patch allowed in our 2.20 freeze mode.
>
> The rest of the patches fix the CVE, and should absolutely make it for
> 2.20.
>
> Your final call on patch #1 though.
>
The freeze is still slushy so go ahead and commit (I would want it
committed anyway).
Allan
More information about the Libc-alpha
mailing list