CVE-2014-5119

Vulnerability

An off-by-one heap-based buffer overflow exists in the __gconv_translit_find function in gconv_trans.c of the GNU C Library (glibc). The flaw occurs when processing transliteration modules triggered by the CHARSET environment variable during calls to iconv_open(). Affected versions include glibc prior to the patches in Red Hat Enterprise Linux 5, 6, and 7, as well as Oracle Linux 6 and 7 [1][2][4]. The bug allows a single NUL byte to be written beyond the allocated heap buffer.

Exploitation

An attacker can exploit this vulnerability by setting a specially crafted CHARSET environment variable and then invoking an application that calls iconv_open(). This triggers the off-by-one error, writing a NUL byte past the end of a heap buffer. As demonstrated in a Project Zero analysis, this corruption can be leveraged to achieve arbitrary code execution, even with modern glibc heap protections [3]. The exploit requires the attacker to have the ability to control the environment variables of a vulnerable setuid binary or any application using iconv_open().

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected application. In the case of setuid binaries like pkexec, this can lead to local privilege escalation to root [3]. The impact is rated as Important by Red Hat, with a CVSS base score of 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) [2].

Mitigation

Red Hat released updated glibc packages (e.g., glibc-2.17-55.el7_0.1 for RHEL 7) on August 29, 2014 [1][2]. Oracle Linux followed with updates in January 2015 (ELSA-2015-0092) that also removed support for gconv transliteration loadable modules as a hardening measure [4]. Users should apply the relevant security updates from their distribution. No workaround is available other than removing the transliteration module support, which may break functionality relying on character set conversion.