8.70. glibc

Security Fixes

CVE-2013-4237

An out-of-bounds write flaw was found in the way the glibc's readdir_r() function handled file system entries longer than the NAME_MAX character constant. A remote attacker could provide a specially crafted NTFS or CIFS file system that, when processed by an application using readdir_r(), would cause that application to crash or, potentially, allow the attacker to execute arbitrary code with the privileges of the user running the application.

CVE-2013-4458

It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.

Bug Fixes

BZ#845218

When performing an address lookup to a defective Domain Name System (DNS) server using the getaddrinfo utility with the ai_family option set to AF_UNSPEC, the server could respond with a valid response for the A record and a referral response for the AAAA record, which resulted in a lookup failure. With this update, getaddrinfo has been fixed to return the valid response in such a case.

BZ#905941

Under certain rare circumstances, the pthreads utility terminated unexpectedly during stack unwinding on thread cancellation on the PowerPC architecture. The bug has been fixed and pthreads no longer crashes in the described case.

BZ#981942

Name lookup of internationalized domain names using the getaddrinfo utility occasionally caused the calling program to abort unexpectedly. This update fixes the getaddrinfo code to prevent the abort.

BZ#995972

Due to a bug in the thread local storage (TLS) initialization, the dlopen() function occasionally terminated unexpectedly with a segmentation fault. This bug has been fixed, and dlopen() no longer crashes.

BZ#1019916

The order of relocations was incorrect during symbol dependency testing in the dynamic linker. Consequently, IFUNC resolvers terminated unexpectedly if the dependent symbols have not yet been relocated. This occurred when one of the environment variables LD_WARN or LD_TRACE_PRELINKING was set. This update ensures that relocations done during symbol dependency testing are performed in correct order, thus avoiding the crash.

BZ#1027101

This update modifies certain code paths used by the C library's memory allocator "fastbins" feature to be thread-safe, which prevents segmentation faults previously caused by a corruption in the memory allocator.

BZ#1032628

This update fixes the symbol lookup in the elf/dl-lookup.c function to return correct values.

BZ#1039988

Previously, querying for a non-existent netgroup when the nscd daemon was running returned a spurious empty result and no error message. For example, executing 'getent netgroup foo' retured a spurious empty netgroup and exited successfully with status 0 even if no netgroup named 'foo' existed. This bug has been fixed, and the above command now exits with non-zero exit status, as expected.

BZ#1043557

Due to problems with the buffer extension and reallocation, the nscd daemon terminated unexpectedly with a segmentation fault when processing long netgroup entries. With this update, the handling of long netgroup entries has been fixed, and nscd no longer crashes in the described scenario.

BZ#1044628

The getaddrinfo() function returned an incorrect permanent error EAI_NONAME when the Domain Name System (DNS) server was unreachable or the DNS query timed out. Now, getaddrinfo() returns EAI_AGAIN to indicate a temporary failure in name resolution.

BZ#1054846

This update fixes a bug in the nscd daemon that caused the sudo utility to deny access for valid users in permitted netgroups.

BZ#1074342

This update prevents a memory corruption and a subsequent unexpected crash due to a segmentation fault in the nscd daemon when querying certain netgroups with nested members.

BZ#1085273

When querying an empty netgroup, the nscd daemon occasionally became unresponsive. This has been fixed so that an appropriate error code is returned in the described case.

BZ#1099025

This update fixes a bug in the gettimeofday() function's implementation of the Virtual Dynamic Shared Object (VDSO) that caused the gettimeofday() function to return an incorrect non-changing value.

Enhancements

BZ#1027261

This update adds information about the malloc() function requests satisfied by the mmap system call to the output created by the malloc_info() function.

BZ#1028285

This update adds Virtual Dynamic Shared Object (VDSO) indirect function support for the gettimeofday() system call on 64-bit PowerPC system to improve the performance of gettimeofday().