Mention CVE-2014-4043 in NEWS

author Allan McRae <allan@archlinux.org>

Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)

committer Adhemerval Zanella <azanella@linux.vnet.ibm.com>

Fri, 16 Jan 2015 12:49:14 +0000 (07:49 -0500)
author Allan McRae <allan@archlinux.org>
Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Fri, 16 Jan 2015 12:49:14 +0000 (07:49 -0500)
diff --git a/ChangeLog b/ChangeLog

index 45675f296e0e3ec2f2dc17e798199c50bdd4860e..b399a9b14333c55a39d076c84059df5c3fa2492d 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-06-21  Allan McRae  <allan@archlinux.org>
+
+       * NEWS: Mention CVE-2014-4043.
+
  2014-06-11  Florian Weimer  <fweimer@redhat.com>
  
         [BZ #17048]
diff --git a/NEWS b/NEWS

index b6d603aeb81a13ec6417c44d26bd9904034a156a..7aa51f1559392d551083448365ad7ab886eb2c78 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,12 @@ Version 2.19.1
    silently replaced with the "C" locale when running in AT_SECURE mode
    (e.g., in a SUID program).  This is no longer necessary because of the
    additional checks.
+
+* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
+  copy the path argument.  This allowed programs to cause posix_spawn to
+  deference a dangling pointer, or use an unexpected pathname argument if
+  the string was modified after the posix_spawn_file_actions_addopen
+  invocation.
  \f
  Version 2.19
author	Allan McRae <allan@archlinux.org>
	Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer	Adhemerval Zanella <azanella@linux.vnet.ibm.com>
	Fri, 16 Jan 2015 12:49:14 +0000 (07:49 -0500)
ChangeLog		patch \| blob \| blame \| history
NEWS		patch \| blob \| blame \| history