Updated glibc packages that fix two security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
- An out-of-bounds write flaw was found in the way the glibc's readdir_r() function handled file system entries longer than the NAME_MAX character constant. A remote attacker could provide a specially crafted NTFS or CIFS file system that, when processed by an application using readdir_r(), would cause that application to crash or, potentially, allow the attacker to execute arbitrary code with the privileges of the user running the application.
- It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.
- When performing an address lookup to a defective Domain Name System (DNS) server using the getaddrinfo utility with the ai_family option set to AF_UNSPEC, the server could respond with a valid response for the A record and a referral response for the AAAA record, which resulted in a lookup failure. With this update, getaddrinfo has been fixed to return the valid response in such a case.
- Under certain rare circumstances, the pthreads utility terminated unexpectedly during stack unwinding on thread cancellation on the PowerPC architecture. The bug has been fixed and pthreads no longer crashes in the described case.
- Name lookup of internationalized domain names using the getaddrinfo utility occasionally caused the calling program to abort unexpectedly. This update fixes the getaddrinfo code to prevent the abort.
- Due to a bug in the thread local storage (TLS) initialization, the dlopen() function occasionally terminated unexpectedly with a segmentation fault. This bug has been fixed, and dlopen() no longer crashes.
- The order of relocations was incorrect during symbol dependency testing in the dynamic linker. Consequently, IFUNC resolvers terminated unexpectedly if the dependent symbols have not yet been relocated. This occurred when one of the environment variables LD_WARN or LD_TRACE_PRELINKING was set. This update ensures that relocations done during symbol dependency testing are performed in correct order, thus avoiding the crash.
- This update modifies certain code paths used by the C library's memory allocator "fastbins" feature to be thread-safe, which prevents segmentation faults previously caused by a corruption in the memory allocator.
- This update fixes the symbol lookup in the elf/dl-lookup.c function to return correct values.
- Previously, querying for a non-existent netgroup when the nscd daemon was running returned a spurious empty result and no error message. For example, executing 'getent netgroup foo' retured a spurious empty netgroup and exited successfully with status 0 even if no netgroup named 'foo' existed. This bug has been fixed, and the above command now exits with non-zero exit status, as expected.
- Due to problems with the buffer extension and reallocation, the nscd daemon terminated unexpectedly with a segmentation fault when processing long netgroup entries. With this update, the handling of long netgroup entries has been fixed, and nscd no longer crashes in the described scenario.
- The getaddrinfo() function returned an incorrect permanent error EAI_NONAME when the Domain Name System (DNS) server was unreachable or the DNS query timed out. Now, getaddrinfo() returns EAI_AGAIN to indicate a temporary failure in name resolution.
- This update fixes a bug in the nscd daemon that caused the sudo utility to deny access for valid users in permitted netgroups.
- This update prevents a memory corruption and a subsequent unexpected crash due to a segmentation fault in the nscd daemon when querying certain netgroups with nested members.
- When querying an empty netgroup, the nscd daemon occasionally became unresponsive. This has been fixed so that an appropriate error code is returned in the described case.
- This update fixes a bug in the gettimeofday() function's implementation of the Virtual Dynamic Shared Object (VDSO) that caused the gettimeofday() function to return an incorrect non-changing value.
- This update adds information about the malloc() function requests satisfied by the mmap system call to the output created by the malloc_info() function.
- This update adds Virtual Dynamic Shared Object (VDSO) indirect function support for the gettimeofday() system call on 64-bit PowerPC system to improve the performance of gettimeofday().
All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.