From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16344 invoked by alias); 10 Jul 2014 23:20:06 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 16255 invoked by uid 55); 10 Jul 2014 23:19:59 -0000 From: "cvs-commit at gcc dot gnu.org" To: glibc-bugs@sourceware.org Subject: [Bug localedata/17137] Directory traversal in locale environment handling (CVE-2014-0475) Date: Thu, 10 Jul 2014 23:20:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: localedata X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: fweimer at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2014-07/txt/msg00596.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=17137 --- Comment #3 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, allan/2.19/backport has been updated via d07eb371352d67ee4ef931b6956d1e0f28b599dc (commit) via 176fc6c7ddec8d93468f9b790d39dcab6d41b1a6 (commit) via b76db403426d4978ca2e60998c6dc62668a3f998 (commit) from 7e09ce56759640a4bf10e4d6ddca77757e115f13 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d07eb371352d67ee4ef931b6956d1e0f28b599dc commit d07eb371352d67ee4ef931b6956d1e0f28b599dc Author: Florian Weimer Date: Wed May 28 14:05:03 2014 +0200 manual: Update the locale documentation (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4) Conflicts: manual/locale.texi https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=176fc6c7ddec8d93468f9b790d39dcab6d41b1a6 commit 176fc6c7ddec8d93468f9b790d39dcab6d41b1a6 Author: Florian Weimer Date: Mon May 12 15:24:12 2014 +0200 _nl_find_locale: Improve handling of crafted locale names [BZ #17137] Prevent directory traversal in locale-related environment variables (CVE-2014-0475). (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3) Conflicts: NEWS localedata/Makefile https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b76db403426d4978ca2e60998c6dc62668a3f998 commit b76db403426d4978ca2e60998c6dc62668a3f998 Author: Florian Weimer Date: Wed May 28 14:41:52 2014 +0200 setlocale: Use the heap for the copy of the locale argument This avoids alloca calls with potentially large arguments. (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 27 ++++++ NEWS | 11 ++- locale/findlocale.c | 74 +++++++++++++--- locale/setlocale.c | 14 +++- localedata/ChangeLog | 6 ++ localedata/Makefile | 2 +- localedata/tst-setlocale3.c | 203 +++++++++++++++++++++++++++++++++++++++++++ manual/locale.texi | 146 ++++++++++++++++++++++++------- 8 files changed, 434 insertions(+), 49 deletions(-) create mode 100644 localedata/tst-setlocale3.c -- You are receiving this mail because: You are on the CC list for the bug.