Mention CVE-2014-4043 in NEWS

author Allan McRae <allan@archlinux.org>

Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)

committer Adhemerval Zanella <azanella@linux.vnet.ibm.com>

Thu, 15 Jan 2015 20:18:56 +0000 (15:18 -0500)
author Allan McRae <allan@archlinux.org>
Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Thu, 15 Jan 2015 20:18:56 +0000 (15:18 -0500)
diff --git a/ChangeLog b/ChangeLog

index a101ac8e4efb309573af9da632fe4b0264957c5f..ed23b08123d550e5d48354e0aa7854a89af98975 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-06-21  Allan McRae  <allan@archlinux.org>
+
+       * NEWS: Mention CVE-2014-4043.
+
  2014-06-11  Florian Weimer  <fweimer@redhat.com>
  
         [BZ #17048]
diff --git a/NEWS b/NEWS

index 17450609e16e5adb25d08cd1526115a75dd427c7..a0bf400923575487c488f30d1aa185b574d17550 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,12 @@ Version 2.16.1
    6530, 14195, 14547, 14459, 14476, 14562, 14621, 14648, 14699, 14756, 14831,
    15078, 15754, 15755, 16072, 17048, 17137, 17187, 17325.
  
+* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
+  copy the path argument.  This allowed programs to cause posix_spawn to
+  deference a dangling pointer, or use an unexpected pathname argument if
+  the string was modified after the posix_spawn_file_actions_addopen
+  invocation.
+
  * Decoding a crafted input sequence in the character sets IBM933, IBM935,
    IBM937, IBM939, IBM1364 could result in an out-of-bounds array read,
    resulting a denial-of-service security vulnerability in applications which
author	Allan McRae <allan@archlinux.org>
	Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer	Adhemerval Zanella <azanella@linux.vnet.ibm.com>
	Thu, 15 Jan 2015 20:18:56 +0000 (15:18 -0500)
ChangeLog		patch \| blob \| blame \| history
NEWS		patch \| blob \| blame \| history