{"id":"MGASA-2014-0314","summary":"Updated glibc packages fix security issues","details":"Stephane Chazelas discovered that directory traversal issue in locale\nhandling in glibc.  glibc accepts relative paths with \"..\" components\nin the LC_* and LANG variables.  Together with typical OpenSSH\nconfigurations (with suitable AcceptEnv settings in sshd_config), this\ncould conceivably be used to bypass ForceCommand restrictions (or\nrestricted shells), assuming the attacker has sufficient level of\naccess to a file system location on the host to create crafted locale\ndefinitions there. (CVE-2014-0475)\n\nDavid Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where\nposix_spawn_file_actions_addopen fails to copy the path argument (glibc\nbz #17048) which can, in conjunction with many common memory management\ntechniques from an application, lead to a use after free, or other\nvulnerabilities. (CVE-2014-4043)\n\nThis update also fixes the following issues:\nx86: Disable x87 inline functions for SSE2 math (glibc bz #16510)\nmalloc: Fix race in free() of fastbin chunk (glibc bz #15073)\n","modified":"2026-04-16T01:45:15.510543728Z","published":"2014-08-05T20:08:48Z","upstream":["CVE-2014-0475","CVE-2014-4043"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0314.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13800"},{"type":"REPORT","url":"https://www.sourceware.org/bugzilla/show_bug.cgi?id=17048"},{"type":"REPORT","url":"https://www.sourceware.org/bugzilla/show_bug.cgi?id=16510"},{"type":"REPORT","url":"https://www.sourceware.org/bugzilla/show_bug.cgi?id=15073"}],"affected":[{"package":{"name":"glibc","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/glibc?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.17-7.3.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0314.json"}},{"package":{"name":"glibc","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/glibc?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.18-9.2.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0314.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}