8.54. glibc

Updated glibc packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

Security Fixes

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions (pvalloc, valloc, and memalign). If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash.
It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.

Bug Fixes

Due to a defect in the initial release of the getaddrinfo() system call in Red Hat enterprise Linux 6.0, AF_INET and AF_INET6 queries resolved from the /etc/hosts file returned queried names as canonical names. This incorrect behavior is, however, still considered to be the expected behavior. As a result of a recent change in getaddrinfo(), AF_INET6 queries started resolving the canonical names correctly. However, this behavior was unexpected by applications that relied on queries resolved from the /etc/hosts file, and these applications could thus fail to operate properly. This update applies a fix ensuring that AF_INET6 queries resolved from /etc/hosts always return the queried name as canonical. Note that DNS lookups are resolved properly and always return the correct canonical names. A proper fix to AF_INET6 queries resolution from /etc/hosts may be applied in future releases; for now, due to a lack of standard, Red Hat suggests the first entry in the /etc/hosts file, that applies for the IP address being resolved, to be considered the canonical entry.
The pthread_cond_wait() and pthread_cond_timedwait() functions for AMD64, Intel 64, and Intel P6 architectures contained several synchronizations bugs. Consequently, when a multi-threaded program used a priority-inherited mutex to synchronize access to a condition variable, some threads could enter a deadlock situation when they were woken up by the pthread_cond_signal() function or canceled. This update fixes these synchronization bugs and a thread deadlock can no longer occur in the described scenario.
The C library security framework was unable to handle dynamically loaded character conversion routines when loaded at specific virtual addresses. This resulted in an unexpected termination with a segmentation fault when trying to use the dynamically loaded character conversion routine. This update enhances the C library security framework to handle dynamically loaded character conversion routines at any virtual memory address, and crashes no longer occur in the described scenario.
Due to a defect in the standard C library, the library could allocate unbounded amounts of memory and eventually terminate unexpectedly when processing a corrupted NIS request. With this update, the standard C library has been fixed to limit the size of NIS records to the maximum of 16 MB, and the library no longer crashes in this situation. However, it is possible that some configurations with very large NIS maps may no longer work if those maps exceed the maximum of 16 MB.
Previously, the ttyname() and ttyname_r() library calls returned an error if the proc (/proc/) file system was not mounted. As a result, certain applications could not properly run in a chroot environment. With this update, if the ttyname() and ttyname_r() calls cannot read the /proc/self/fd/ directory, they attempt to obtain the name of the respective terminal from the devices known to the system (the /dev and /dev/pts directories) rather than immediately return an error. Applications running in a chroot environment now work as expected.
A defect in the standard C library resulted in an attempt to free memory that was not allocated with the malloc() function. Consequently, the dynamic loader could terminate unexpectedly when loading shared libraries that require the dynamic loader to search non-default directories. The dynamic loader has been modified to avoid calling the free() routine for memory that was not allocated using malloc() and no longer crashes in this situation.
Due to a defect in the getaddrinfo() resolver system call, getaddrinfo() could, under certain conditions, return results that were not Fully Qualified Domain Names (FQDN) when FQDN results were requested. Applications using getaddrinfo() that expected FQDN results could fail to operate correctly. The resolver has been fixed to return FQDN results as expected when requesting an FQDN result and the AI_CANONNAME flag is set.
The backtrace() function did not print call frames correctly on the AMD64 and Intel 64 architecture if the call stack contained a recursive function call. This update fixes this behavior so backtrace() now prints call frames as expected.
Debug information previously contained the name "fedora" which could lead to confusion and the respective package could be mistaken for a Fedora-specific package. To avoid this confusion, the package build framework has been changed to ensure that the debug information no longer contains the name "fedora."
A program that opened and used dynamic libraries which used thread-local storage variables may have terminated unexpectedly with a segmentation fault when it was being audited by a module that also used thread-local storage. This update modifies the dynamic linker to detect such a condition, and crashes no longer occur in the described scenario.
When the /etc/resolv.conf file was missing on the system or did not contain any nameserver entries, getaddrinfo() failed instead of sending a DNS query to the local DNS server. This bug has been fixed and getaddrinfo() now queries the local DNS server in this situation.
A previous fix to prevent logic errors in various mathematical functions, including exp(), exp2(), expf(), exp2f(), pow(), sin(), tan(), and rint(), created CPU performance regressions for certain inputs. The performance regressions have been analyzed and the core routines have been optimized to raise CPU performance to expected levels.
Previously, multi-threaded applications using the QReadWriteLocks locking mechanism could experience performance issues under heavy load. This happened due to the ineffectively designed sysconf() function that was repeatedly called from the Qt library. This update improves the glibc implementation of sysconf() by caching the value of the _SC_NPROCESSORS_ONLN variable so the system no longer spends extensive amounts of time by parsing the /stat/proc file. Performance of the aforementioned applications, as well as applications repetitively requesting the value of _SC_NPROCESSORS_ONLN, should significantly improve.
Improvements to the accuracy of the floating point functions in the math library, which were introduced by the RHBA-2013:0279 advisory, led to a performance decrease for those functions. With this update, the performance loss regressions have been analyzed and a fix has been applied that retains the current accuracy but reduces the performance penalty to acceptable levels.
If user groups were maintained on an NIS server and queried over the NIS compat interface, queries for user groups containing a large number of users could return an incomplete list of users. This update fixes multiple bugs in the compat interface so that group queries in the described scenario now return correct results.
Due to a defect in the name service cache daemon (nscd), cached DNS queries returned, under certain conditions, only IPv4 addresses even though the AF_UNSPEC address family was specified and both IPv4 and IPv6 results existed. The defect has been corrected and nscd now correctly returns both IPv4 and IPv6 results in this situation.
Due to a defect in the dynamic loader, the loader attempted to write to a read-only page in memory while loading a prelinked dynamic application. This resulted in all prelinked applications being terminated unexpectedly during startup. The defect in the dynamic loader has been corrected and prelinked applications no longer crash in this situation.


Previous versions of nscd did not cache netgroup queries. The lack of netgroup caching could result in less than optimal performance for users that relied on heavily on netgroup maps in their system configurations. With this update, support for netgroup query caching has been added to nscd. Systems that rely heavily on netgroup maps and use nscd for caching will now have their netgroup queries cached which should improve performance in most configurations.
Previously, if users wanted to adjust the size of stacks created for new threads, they had to modify the program code. With this update, glibc adds a new GLIBC_PTHREAD_STACKSIZE environment variable allowing users to set the desired default thread stack size in bytes. The variable affects the threads created with the pthread_create() function and default attributes. The default thread stack size may be slightly larger than the requested size due to memory alignment and certain other factors.
The dynamic loader now coordinates with GDB to provide an interface that is used to improve the performance of debugging applications with very large lists of loaded libraries.
The glibc packages now provide four Static Defined Tracing (SDT) probes in the libm libraries for the pow() and exp() functions. The SDT probes can be used to detect whether the input to the functions causes the routines to execute the multi-precision slow paths. This information can be used to detect performance problems in applications calling the pow() and exp() functions.
Support for the MAP_HUGETLB and MAP_STACK flags have been added for use with the mmap() function. Their support is dependant on kernel support and applications calling mmap() should always examine the result of the function to determine the result of the call.
Performance of the sched_getcpu() function has been improved by calling the Virtual Dynamic Shared Object (VDSO) implementation of the getcpu() system call on the PowerPC architecture.
The error string for the ESTALE error code has been updated to print "Stale file handle" instead of "Stale NFS file handle", which should prevent confusion over the meaning of the error. The error string has been translated to all supported languages.
All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.