Mention CVE-2014-4043 in NEWS

author Allan McRae <allan@archlinux.org>

Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)

committer Allan McRae <allan@archlinux.org>

Fri, 5 Sep 2014 12:44:07 +0000 (22:44 +1000)
author Allan McRae <allan@archlinux.org>
Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer Allan McRae <allan@archlinux.org>
Fri, 5 Sep 2014 12:44:07 +0000 (22:44 +1000)
diff --git a/ChangeLog b/ChangeLog

index 658bec91d30107b6b47d78b945be23382abd8b2b..cbabc37eb53e45eeb307557ce1451401c3fd80ee 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-06-21  Allan McRae  <allan@archlinux.org>
+
+       * NEWS: Mention CVE-2014-4043.
+
  2014-06-12  Stefan Liebler  <stli@linux.vnet.ibm.com>
  
         * posix/spawn_faction_addopen.c: Include string.h.
diff --git a/NEWS b/NEWS

index 95392942898d295cb2b75190d794a3cb08e3a445..4a51ac6b9a76f841c5c4a0ec61421fec05d86252 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,12 @@ Version 2.19.1
  * The following bugs are resolved with this release:
  
    16545, 16623, 16882, 16885, 16916, 16943, 16958, 17048.
+
+* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
+  copy the path argument.  This allowed programs to cause posix_spawn to
+  deference a dangling pointer, or use an unexpected pathname argument if
+  the string was modified after the posix_spawn_file_actions_addopen
+  invocation.
  \f
  Version 2.19
author	Allan McRae <allan@archlinux.org>
	Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer	Allan McRae <allan@archlinux.org>
	Fri, 5 Sep 2014 12:44:07 +0000 (22:44 +1000)
ChangeLog		patch \| blob \| blame \| history
NEWS		patch \| blob \| blame \| history