On Fri, Dec 04, 2020 at 03:03:58PM +0100, Salvatore Bonaccorso wrote: > Source: glibc > Version: 2.31-5 > Severity: important > Tags: security upstream > Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=26923 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 2.31-4 > > Hi, > > The following vulnerability was published for glibc. > > CVE-2020-29562[0]: > | The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to > | 2.32, when converting UCS4 text containing an irreversible character, > | fails an assertion in the code path and aborts the program, > | potentially resulting in a denial of service.
The issue may be introduced due to fix for https://sourceware.org/bugzilla/show_bug.cgi?id=18830 and so due to https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4802be92c891903caaf8cae47f685da6f26d4b9a in 2.30 only onwards. At least the testcase does not trigger in buster, but please double check. Regards, Salvatore