- Previously, glibc did not walk through the entire list of Network Information Service (NIS) password or group buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire lists so that memory is freed as expected and memory leaks no longer occur in this scenario.
- Using the
iconvcommand to convert a file or string from IBM-930 encoding to another encoding, such as UTF-8, resulted in a segmentation fault. This happened if the file or string contained the invalid multibyte character
0xffff. Now, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler and the segmentation fault no longer occurs.
- Due to logic errors, functions
rint()could return different results in non-default rounding modes or terminate with a segmentation fault. Multiple fixes have been applied to the function implementations and the functions now return correct results in all rounding modes.Note that the change can cause runtime performance loss as values which were previously handled by the fast function implementation are now handled by the slower multi-precision library to achieve accurate results.
- The dynamic linker previously sorted cyclic dependencies incorrectly when there were more that 127 Dynamic Shared Objects (DSO). The changed order of the dependencies caused some programs to behave differently or crash due to symbol resolution failure. This update fixes the initialization order of the cyclic dependencies and the problem no longer occurs.
- Various functions that called the
nl_explode_name()function failed to check its return value for errors. As a result, applications could terminate unexpectedly after passing a NULL pointer or uninitialized values to the calling functions. The callers of
nl_explode_name()have been updated to check for error conditions and fail gracefully.
- Previously, if the Name Service Cache Daemon (nscd) daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying
AAAAresponse. This caused the nscd daemon to wait for an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL value for the entire record and DNS entries are now reloaded as expected in this scenario.
- The Slovak currency was set to the Slovak Crown. However, Slovakia now uses the Euro. The Slovak currency was set to the Euro.
- Previously, glibc did not walk through the entire list of buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire list so that memory is freed as expected and memory leaks no longer occur in this scenario.
- A race between the
pthread_cancel()function could cause a process to become unresponsive during forking. This happened because the
_IO_unlock_lockmacro decremented the lock count before it attempted to unlock its lock and did not check if the count contained a positive value. If the lock was never held since
_IO_unlock_lock(), the macro did not release the lock due to the lock count being less than zero. With this update, the lock count is decremented only if it contains a positive value.
- The Ukrainian currency symbol was incorrectly set to
rp. With this update, the currency symbol was corrected to
- A race condition existed between functions which allocated and reclaimed stacks in multi-threaded applications. As a result, some applications could enter a deadlock. The code for managing lists of stacks has been changed to publish its changes to all threads at the appropriate time. This fixes synchronization between the multiple threads and eliminates the race condition.
- The Name Service Cache Daemon (nscd) terminated unexpectedly if a group contained a few thousand members. This was caused by a stack overflow which resulted in a segmentation fault in nscd. With this update, when a large amount of memory is needed for a group with many members, the memory is allocated on the heap instead of the stack. This prevents the stack overflow and nscd no longer crashes in this scenario.
- During installation on IBM System z, Red Hat Enterprise Linux Server installer returned traceback with the following error value after the stage2 download:
ValueError: (3, 'No such process')This was due to a workaround implementation for IBM System z in the
fegetenv()function in the
math.hheader file. With this update, the function implementation was modified so as to follow the IEEE standard and the problem no longer occurs.
- A race condition between the
setuid()function and the
sighandler_setxid()function could result in a lock remaining unreleased. As a result, an application could remain in a deadlock. With this update, the lock is released in this scenario and proper synchronization between the threads is maintained.
- Prior to this update, when a multi-threaded process called the
qsort()function, a race condition could occur. This could result in an uninitialized memory read and the process could receive a floating point exception or other fault condition. The race condition in the function code has been fixed and the problem no longer occurs.
- Calling the
strncmp()function on the Power4 processors could cause the program to terminate unexpectedly. This occurred because the function occasionally attempted to read past the zero byte in certain cases. With this update, strings are aligned correctly and the function no longer attempts to read past the zero byte.
- The Portuguese locale (pt_PT.utf8) incorrectly used the
$character instead of the
,character as its decimal point. The error has been corrected and the
,character is now used as the decimal point as expected.
- Previously, if the
/etc/resolv.conffile contained an IPv6 DNS server address with trailing spaces, the address failed to be parsed correctly and DNS lookups with the
ping6command failed. With this update, the parsing code has been corrected so as to cope with trailing spaces and the problem no longer occurs.
sysconf()function allows applications to determine values for system limits or options at runtime. The mechanism that sysconf uses to acquire various CACHE parameters previously failed to look up the requested information on Intel Xeon X5670 processors and incorrectly returned zero values. The
sysconf()function has been modified to acquire the system information on these processors correctly and the problem no longer occurs.
- A missing check of memory allocation and an incorrect loop test in the
nss/getnssent.csource file could cause an application to fail. The memory allocation check and the loop test code have been added and the problem no longer occurs.
- Previously, the
ttyname_r()calls returned an error if the
/proc/directory was not mounted. Consequently, some applications did not run in the chroot environment properly. With this update, if the
/proc/self/fd/directory cannot be read, the calls iterate through devices first and only then return an error. As a result, applications which were previously failing now work correctly.
getgrent()function generated an error when it requested to read a Network Information Services (NIS) group record of 1024 bytes from the NIS master server. This happened because the function attempted to free an unallocated pointer. With this update, the
free()function is not called under these circumstances and
getgrent()now works as expected in this scenario.
- Various functions (
getaddrinfo) could potentially allocate unlimited amounts of data on the stack. As a result, these functions were potential security attack vectors. With this update, these routines use
malloc()when allocating large amounts of memory and the security issue is eliminated.
- The Finnish locale included redundant trailing spaces in month abbreviations. This could cause parsing and conversion problems when working with dates. With this update, the trailing spaces have been removed from the definition of abbreviated month format and the parsing and conversion of abbreviated month names work as expected.
- Abbreviated month names in the simplified Chines locale (zh_CN) contained redundant spaces, which caused incorrect output of dates. With this update, the spaces have been removed from the format definition and the system returns dates formatted correctly.
- The Name Service Cache Daemon (nscd) initscript was returning a non-zero exit status when a stop was requested on an already stopped daemon. However, the expected behavior is to consider the request to be successful and return the exit status of zero. The nscd initscript has been modified to handle this case correctly and set the exit status appropriately.
- Previously, the
fnmatch()function failed and returned the -1 status code when its pattern argument contained the wildcard character
*and the file name argument contained an invalid multibyte encoding character. The
fnmatch()function now handles such arguments gracefully: it considers the invalid characters not to match and proceeds.
- If the maximum number of memory pools (arenas) used by a thread was set to 1 (MALLOC_ARENA_MAX=1), the setting was ignored and the program still used multiple pools due to incorrect logic when checking the number of pools in use and reusing pools. With this update, the underlying code has been modified and the pool setting is applied as expected.
vfprintf()function returned the
ERANGEerrno instead of
EOVERFLOWwhen a string of a too long format was specified. The errno is now set correctly to
EOVERFLOWin this scenario.
- A Virtual Dynamic Shared Object (VDSO) allows an application in user space to perform some kernel actions with less overhead than if using a system call. The VDSO is often used to provide fast access to the
gettimeofdaysystem call data. Support for VDSOs on the IBM System z series platform has been added to glibc.
- Previously, the
pthread_create()function used the MAP_32BIT flag to reserve the lower 32 bits of virtual address space for thread stacks so as to provide better performance. This setting is no longer of benefit and in some cases can negatively impact performance. A patch has been backported so that
pthread_create()now uses the MAP_STACK flag instead of the MAP_32BIT flag.
getaddrinfo()function returns one or more
addrinfostructures, each of which contains an Internet socket address. If the hints argument to
getaddrinfo()is not NULL, it specifies criteria for selecting the socket address structures to be returned. Previously,
getaddrinfo()did not support the Stream Control Transmission Protocol (SCTP) hints. With this update, the
getaddrinfo()function has been enhanced to accept SCTP hints.
- An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
- It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
- If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use iconv() (or the iconv command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. With this update, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault.
- Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code.
- Previously, logic errors in various mathematical functions, including exp, exp2, expf, exp2f, pow, sin, tan, and rint, caused inconsistent results when the functions were used with the non-default rounding mode. This could also cause applications to crash in some cases. With this update, the functions now give correct results across the four different rounding modes.