Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2014-5119 First vendor Publication 2014-08-29
Vendor Cve Last vendor Modification 2020-03-31

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-189 Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26388
 
Oval ID: oval:org.mitre.oval:def:26388
Title: RHSA-2014:1110: glibc security update (Important)
Description: The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly.
Family: unix Class: patch
Reference(s): RHSA-2014:1110-00
CESA-2014:1110
CVE-2014-0475
CVE-2014-5119
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
CentOS Linux 5
CentOS Linux 6
CentOS Linux 7
Product(s): glibc
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26688
 
Oval ID: oval:org.mitre.oval:def:26688
Title: DSA-3012-1 eglibc - security update
Description: Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution.
Family: unix Class: patch
Reference(s): DSA-3012-1
CVE-2014-5119
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): eglibc
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26789
 
Oval ID: oval:org.mitre.oval:def:26789
Title: SUSE-SU-2014:1125-1 -- Security update for glibc
Description: This glibc update fixes a critical privilege escalation problem and two non-security issues: * bnc#892073: An off-by-one error leading to a heap-based buffer overflow was found in __gconv_translit_find(). An exploit that targets the problem is publicly available. (CVE-2014-5119) * bnc#892065: setenv-alloca.patch: Avoid unbound alloca in setenv. * bnc#888347: printf-multibyte-format.patch: Don't parse %s format argument as multi-byte string. Security Issues: * CVE-2014-5119 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1125-1
CVE-2014-5119
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): glibc
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27192
 
Oval ID: oval:org.mitre.oval:def:27192
Title: ELSA-2014-1110 -- glibc security update (important)
Description: An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-5119) A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-0475)
Family: unix Class: patch
Reference(s): ELSA-2014-1110
CVE-2014-0475
CVE-2014-5119
Version: 3
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): glibc
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 113
Os 1

ExploitDB Exploits

id Description
2014-08-27 glibc Off-by-One NUL Byte gconv_translit_find Exploit

Information Assurance Vulnerability Management (IAVM)

Date Description
2015-01-22 IAVM : 2015-B-0007 - Multiple Vulnerabilities in Juniper Secure Analytics (JSA) and Security Threa...
Severity : Category I - VMSKEY : V0058213

Nessus® Vulnerability Scanner

Date Description
2016-02-18 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201602-02.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1129-1.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1128-1.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1122-1.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1119-1.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-168.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-43.nasl - Type : ACT_GATHER_INFO
2015-02-02 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2015-0024.nasl - Type : ACT_GATHER_INFO
2015-02-02 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2015-0023.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2014-0017.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2014-0033.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1118.nasl - Type : ACT_GATHER_INFO
2014-10-20 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9830.nasl - Type : ACT_GATHER_INFO
2014-10-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-399.nasl - Type : ACT_GATHER_INFO
2014-09-12 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-536.nasl - Type : ACT_GATHER_INFO
2014-09-12 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-175.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1110.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1110.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1110.nasl - Type : ACT_GATHER_INFO
2014-08-29 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2328-1.nasl - Type : ACT_GATHER_INFO
2014-08-29 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9824.nasl - Type : ACT_GATHER_INFO
2014-08-28 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3012.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
BID http://www.securityfocus.com/bid/68983
http://www.securityfocus.com/bid/69738
CISCO http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-5119
CONFIRM http://linux.oracle.com/errata/ELSA-2015-0092.html
http://www-01.ibm.com/support/docview.wss?uid=swg21685604
https://sourceware.org/bugzilla/show_bug.cgi?id=17187
DEBIAN http://www.debian.org/security/2014/dsa-3012
FULLDISC http://seclists.org/fulldisclosure/2014/Aug/69
GENTOO https://security.gentoo.org/glsa/201602-02
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2014:175
MISC http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edit...
https://code.google.com/p/google-security-research/issues/detail?id=96
MLIST http://www.openwall.com/lists/oss-security/2014/07/14/1
http://www.openwall.com/lists/oss-security/2014/08/13/5
REDHAT http://rhn.redhat.com/errata/RHSA-2014-1118.html
https://rhn.redhat.com/errata/RHSA-2014-1110.html
SECUNIA http://secunia.com/advisories/60345
http://secunia.com/advisories/60358
http://secunia.com/advisories/60441
http://secunia.com/advisories/61074
http://secunia.com/advisories/61093
SUSE http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00017.html

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Date Informations
2020-05-24 01:14:13
  • Multiple Updates
2020-05-23 01:52:43
  • Multiple Updates
2020-05-23 00:41:44
  • Multiple Updates
2017-01-07 09:25:41
  • Multiple Updates
2016-06-03 09:25:14
  • Multiple Updates
2016-05-03 13:30:31
  • Multiple Updates
2016-04-29 13:31:42
  • Multiple Updates
2016-04-26 13:27:45
  • Multiple Updates
2016-02-27 13:27:00
  • Multiple Updates
2016-02-19 13:26:19
  • Multiple Updates
2015-12-05 13:26:39
  • Multiple Updates
2015-10-18 17:22:47
  • Multiple Updates
2015-05-21 13:31:29
  • Multiple Updates
2015-03-31 13:28:42
  • Multiple Updates
2015-03-27 13:28:28
  • Multiple Updates
2015-03-11 13:24:55
  • Multiple Updates
2015-02-06 09:22:52
  • Multiple Updates
2015-02-03 13:24:13
  • Multiple Updates
2014-11-27 13:28:34
  • Multiple Updates
2014-11-14 13:28:38
  • Multiple Updates
2014-11-08 13:31:54
  • Multiple Updates
2014-10-28 13:26:24
  • Multiple Updates
2014-10-25 13:25:29
  • Multiple Updates
2014-10-21 13:26:03
  • Multiple Updates
2014-10-12 13:27:26
  • Multiple Updates
2014-10-04 13:31:39
  • Multiple Updates
2014-09-28 13:27:27
  • Multiple Updates
2014-09-14 13:26:42
  • Multiple Updates
2014-09-13 13:43:08
  • Multiple Updates
2014-09-02 21:24:00
  • Multiple Updates
2014-08-31 13:25:13
  • Multiple Updates
2014-08-30 13:25:33
  • Multiple Updates
2014-08-29 21:23:26
  • First insertion