From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 16 Aug 2017 14:47:20 +0000 (+0200)
Subject: Add ChangeLog reference to bug 16750/CVE-2009-5064
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=407ec876262f0e6f55635ea0783f1f4a6c5d127f;p=thirdparty%2Fglibc.git

Add ChangeLog reference to bug 16750/CVE-2009-5064

(cherry picked from commit 403143e1df85dadd374f304bd891be0cd7573e3b)
---

diff --git a/ChangeLog b/ChangeLog
index dfacabe5ff8..a01b406e426 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -48,6 +48,8 @@
 
 2017-08-16  Andreas Schwab  <schwab@suse.de>
 
+	[BZ #16750]
+	CVE-2009-5064
 	* elf/ldd.bash.in: Never run file directly.
 
 2016-10-14  Carlos Eduardo Seo  <cseo@linux.vnet.ibm.com>
diff --git a/NEWS b/NEWS
index ebebb402e10..d7c016c021e 100644
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,12 @@ Version 2.22.1
   to the allocation of too much memory.  (This is not a security bug per se,
   it is mentioned here only because of the CVE assignment.)  Reported by
   Qualys.
+
+* CVE-2009-5064: The ldd script would sometimes run the program under
+  examination directly, without preventing code execution through the
+  dynamic linker.  (The glibc project disputes that this is a security
+  vulnerability; only trusted binaries must be examined using the ldd
+  script.)
 
 Version 2.22