NEWS: Mention CVE-2021-3326 (iconv assertion with ISO-20220-JP-3)

(cherry picked from commit d7f4f3f5fb1275f0b3d9f4e1b3d9d7b75a5a9e26)
author: Florian Weimer <fweimer@redhat.com> 2021-01-29 17:29:57 +0100
committer: Dmitry V. Levin <ldv@altlinux.org> 2022-10-04 08:00:00 +0000
commit: 3299ce69c50b85696ffa935083c8f8c43f9e0ac5 (patch)
tree: 5991292a9cbbae6a2d322599c52d2610f887df02
parent: b2229db87d686c37839176bddcfbfe98a7376fd7 (diff)
download: glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.tar
glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.tar.gz
glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.tar.bz2
glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index e92ecf66c8..ddbe2733ff 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,12 @@ Security related changes:
   invoked with input containing redundant shift sequences in the IBM1364,
   IBM1371, IBM1388, IBM1390, or IBM1399 character sets.
 
+  CVE-2021-3326: An assertion failure during conversion from the
+  ISO-20220-JP-3 character set using the iconv function has been fixed.
+  This assertion was triggered by certain valid inputs in which the
+  converted output contains a combined sequence of two wide characters
+  crossing a buffer boundary.  Reported by Tavis Ormandy.
+
   CVE-2021-33574: The mq_notify function has a potential use-after-free
   issue when using a notification type of SIGEV_THREAD and a thread
   attribute with a non-default affinity mask.
author	Florian Weimer <fweimer@redhat.com>	2021-01-29 17:29:57 +0100
committer	Dmitry V. Levin <ldv@altlinux.org>	2022-10-04 08:00:00 +0000
commit	3299ce69c50b85696ffa935083c8f8c43f9e0ac5 (patch)
tree	5991292a9cbbae6a2d322599c52d2610f887df02
parent	b2229db87d686c37839176bddcfbfe98a7376fd7 (diff)
download	glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.tar glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.tar.gz glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.tar.bz2 glibc-3299ce69c50b85696ffa935083c8f8c43f9e0ac5.zip