{"id":"MGASA-2014-0496","summary":"Updated glibc packages fix CVE-2014-7817","details":"The function wordexp() fails to properly handle the WRDE_NOCMD\nflag when processing arithmetic inputs in the form of \"$((... ``))\"\nwhere \"...\" can be anything valid. The backticks in the arithmetic\nepxression are evaluated by in a shell even if WRDE_NOCMD forbade\ncommand substitution. This allows an attacker to attempt to pass\ndangerous commands via constructs of the above form, and bypass\nthe WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).\n","modified":"2026-04-16T01:46:16.682209068Z","published":"2014-11-26T17:29:06Z","upstream":["CVE-2014-7817"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0496.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14651"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1157689"}],"affected":[{"package":{"name":"glibc","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/glibc?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.17-7.6.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0496.json"}},{"package":{"name":"glibc","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/glibc?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.18-9.5.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0496.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}