- A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd.
- It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file.
- The installation of the glibc-debuginfo.i686 and glibc-debuginfo.x86_64 packages failed with a transaction check error due to a conflict between the packages. This update adds the glibc-debuginfo-common package that contains debuginfo data that are common for all platforms. The package depends on the glibc-debuginfo package and the user can now install debuginfo packages for different platforms on a single machine.
- When a process corrupted its heap, the
malloc()function could enter a deadlock while creating an error message string. As a result, the process could become unresponsive. With this update, the process uses the
mmap()function to allocate memory for the error message instead of the
malloc()deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully.
- India has adopted a new symbol for the Indian rupee leaving the currency symbol for its Unicode U20B9 outdated. The rupee symbol has been updated for all Indian locales.
strncmp()function, which compares characters of two strings, optimized for IBM POWER4 and POWER7 architectures could return incorrect data. This happened because the function accessed the data past the zero byte (\0) of the string under certain circumstances. With this update, the function has been modified to access the string data only until the zero byte and returns correct data.
crypt()function could cause a memory leak if used with a more complex salt. The leak arose when the underlying NSS library attempted to call the dlopen() function from libnspr4.so with the RTLD_NOLOAD flag. With this update, the dlopen() with the RTLD_NOLOAD flag has been fixed and the memory leak no longer occurs.
- On startup, the
nscddaemon logged the following error into the log file if SELinux was active:
rhel61 nscd: Can't send to audit system: USER_AVC avc: netlink poll: error 4#012: exe="?" sauid=28 hostname=? addr=? terminal=?This happened because glibc failed to preserve the respective capabilities on UID change in the AVC thread. With this update, the AVC thread preservers the respective capabilities after the
- BZ#703481, BZ#703480
- When a host was temporarily unavailable, the
nscddaemon cached an error, which did not signalize that the problem was only transient, and the request failed. With this update, the daemon caches a value signalizing that the unavailability is temporary and retries to obtain new data after a set time limit.
- When a module did not provide its own method for retrieving a user list of supplemental group memberships, the libc library's default method was used instead and all groups known to the module were examined to acquire the information. Consequently, applications which attempted to retrieve the information from multiple threads simultaneously, interfered with each other and received an incomplete result set. This update provides a module-specific method which prevents this interference.
- On machines using the Network Information Service (NIS), the
getpwuid()function failed to resolve UIDs to user names when using the passwd utility in the compat mode with a big netgroup. This occurred because glibc was compiled without the -DUSE_BINDINGDIR=1 option. With this update, glibc has been compiled correctly and
getpwuid()function works as expected.
- A debugger could have been presented with an inconsistent state after loading a library. This happened because the ld-linux program did not relocate the library before calling the debugger. With this update, the library is relocated prior to the calling of the debugger and the library is accessed successfully.
- The getaddrinfo() function internally uses the simpler gethostbyaddr() functions. In some cases, this could result in incorrect name canonicalization. With this update, the code has been modified and the getaddrinfo() function uses the gethostbyaddr() functions only when appropriate.
- The getpwent() lookups to LDAP (Lightweight Directory Access Protocol) did not return any netgroup users if the NIS (Network Information Service) domain for individual users was not defined in
/etc/passwd. This happened when the nss_compat mode was set as the mode was primarily intended for use with NIS. With this update, getpwent returns LDAP netgroup users even if the users have no NIS domain defined.
libresolvlibrary is now compiled with the stack protector enabled.
- The pthread_create() function failed to cancel a thread properly if setting of the real time policy failed. This occurred the because __pthread_enable_asynccancel() function as a non-leaf function did not align the stack on the 16-byte boundary as required by AMD64 ABI (Application Binary Interface). With this update, the stack alignment is preserved accros functions.
- When calling the
setgroupsfunction after creating threads, glibc did not cross-thread signal and supplementary group IDs were set only for the calling thread. With this update, the cross-thread signaling in the function has been introduced and supplementary group IDs are set on all involved threads as expected.
setlocale()function could fail. This happened because parameter values were parsed in the set locale. With this update, the parsing is locale-independent.
- A write barrier was missing in the implementation of addition to linked list of threads. This could result in the list corruption after several threads called the fork() function at the same time. The barrier has been added and the problem no longer occurs.
- Statically-linked binaries that call the
gethostbyname()function terminated because of division by zero. This happened because the getpagesize() function required the dl_pagesize field in the dynamic linker's read-only state to be set. However, the field was not initialized when a statically linked binary loaded the dynamic linker. With this update, the getpagesize() function no longer requires a non-zero value in the dl_pagesize field and falls back to querying the value through the syscall() function if the field value is not set.
- For some queries, the pathconf() and fpathconf() functions need details about each filesystem type: mapping of its superblock magic number to various filesystem properties that cannot be queried from the kernel. This update adds support for the Lustre file system to pathconf and fpathconf.
- The glibc package now provides functions optimized for the Intel 6 series and Intel Xeon 5600 processors.
- The glibc package now supports SSE2 (Streaming SIMD Extensions 2) instructions on the
strlen()function for the AMD FX processors.
- This update adds the f_flags field to support the
statvfsoutput received from kernel.
- The Linux kernel supports the UDP
IP_MULTICAST_ALLsocket option, which provides the ability to turn off IP Multicast multiplexing. This update adds the option to glibc.
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time.
- glibc had incorrect information for numeric separators and groupings for specific French, Spanish, and German locales. Therefore, applications utilizing glibc's locale support printed numbers with the wrong separators and groupings when those locales were in use. With this update, the separator and grouping information has been fixed.
- The RHBA-2011:1179 glibc update introduced a regression, causing glibc to incorrectly parse groups with more than 126 members, resulting in applications such as "id" failing to list all the groups a particular user was a member of. With this update, group parsing has been fixed.
- glibc incorrectly allocated too much memory due to a race condition within its own malloc routines. This could cause a multi-threaded application to allocate more memory than was expected. With this update, the race condition has been fixed, and malloc's behavior is now consistent with the documentation regarding the MALLOC_ARENA_TEST and MALLOC_ARENA_MAX environment variables.
- An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
- Previously, the dynamic loader generated an incorrect ordering for initialization according to the ELF specification. This could result in incorrect ordering of DSO constructors and destructors. With this update, dependency resolution has been fixed.
- Previously, locking of the main malloc arena was incorrect in the retry path. This could result in a deadlock if an sbrk request failed. With this update, locking of the main arena in the retry path has been fixed. This issue was exposed by a bug fix provided in the RHSA-2012:0058 update.
- Calling memcpy with overlapping arguments on certain processors would generate unexpected results. While such code is a clear violation of ANSI/ISO standards, this update restores prior memcpy behavior.
- Previously, glibc looked for an error condition in the wrong location and failed to process a second response buffer in the gaih_getanswer() function. As a consequence, the getaddrinfo() function could not properly return all addresses. This update fixes an incorrect error test condition in gaih_getanswer() so that glibc now correctly parses the second response buffer. The getaddrinfo() function now correctly returns all addresses.
- Previously, if the nscd daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying "A" or "AAAA" response. This caused the nscd daemon to wait for an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL value for the entire record. DNS entries are reloaded as expected in this scenario.