From: Allan McRae <allan@archlinux.org>
Date: Sat, 21 Jun 2014 07:23:55 +0000 (+1000)
Subject: Mention CVE-2014-4043 in NEWS
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b2bd5d9607d2ea6e18e8bf32695322e5ae0ebb4;p=thirdparty%2Fglibc.git

Mention CVE-2014-4043 in NEWS
---

diff --git a/ChangeLog b/ChangeLog
index e24271c45d2..3a38309ee10 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-06-21  Allan McRae  <allan@archlinux.org>
+
+	* NEWS: Mention CVE-2014-4043.
+
 2014-06-11  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #17048]
diff --git a/NEWS b/NEWS
index fa6caeb75a5..8fc3cf871d3 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,12 @@ Version 2.18.1
 
 * Support for powerpc64le has been added.
 
+* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
+  copy the path argument.  This allowed programs to cause posix_spawn to
+  deference a dangling pointer, or use an unexpected pathname argument if
+  the string was modified after the posix_spawn_file_actions_addopen
+  invocation.
+
 * Locale names, including those obtained from environment variables (LANG
   and the LC_* variables), are more tightly checked for proper syntax.
   setlocale will now fail (with EINVAL) for locale names that are overly