From: Allan McRae <allan@archlinux.org>
Date: Sat, 21 Jun 2014 07:23:55 +0000 (+1000)
Subject: Mention CVE-2014-4043 in NEWS
X-Git-Tag: upstream/2.30~7281
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d03efb2f979defd473955a455d66b949961d26b2;p=external%2Fglibc.git

Mention CVE-2014-4043 in NEWS
---

diff --git a/ChangeLog b/ChangeLog
index 047fa62..67b7896 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-06-21  Allan McRae  <allan@archlinux.org>
+
+	* NEWS: Mention CVE-2014-4043.
+
 2014-06-20  Roland McGrath  <roland@hack.frob.com>
 
 	* nptl/sysdeps/unix/sysv/linux/smp.h: Moved ...
diff --git a/NEWS b/NEWS
index 170aed2..8d08cd5 100644
--- a/NEWS
+++ b/NEWS
@@ -54,6 +54,12 @@ Version 2.20
   default mutexes are elided via __builtin_tbegin, if the cpu supports
   transactions. By default lock elision is not enabled and the elision code
   is not built.
+
+* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
+  copy the path argument.  This allowed programs to cause posix_spawn to
+  deference a dangling pointer, or use an unexpected pathname argument if
+  the string was modified after the posix_spawn_file_actions_addopen
+  invocation.
 
 Version 2.19