4.45. glibc

BZ#810323

Previously, glibc did not walk through the entire list of Network Information Service (NIS) password or group buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire lists so that memory is freed as expected and memory leaks no longer occur in this scenario.

Bug Fixes

BZ#823905

Using the iconv() or the iconv command to convert a file or string from IBM-930 encoding to another encoding, such as UTF-8, resulted in a segmentation fault. This happened if the file or string contained the invalid multibyte character 0xffff. Now, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler and the segmentation fault no longer occurs.

BZ#837852

Due to logic errors, functions exp(), exp2(), pow(), sin(), tan(), and rint() could return different results in non-default rounding modes or terminate with a segmentation fault. Multiple fixes have been applied to the function implementations and the functions now return correct results in all rounding modes.

Note that the change can cause runtime performance loss as values which were previously handled by the fast function implementation are now handled by the slower multi-precision library to achieve accurate results.

BZ#813348

The dynamic linker previously sorted cyclic dependencies incorrectly when there were more that 127 Dynamic Shared Objects (DSO). The changed order of the dependencies caused some programs to behave differently or crash due to symbol resolution failure. This update fixes the initialization order of the cyclic dependencies and the problem no longer occurs.

BZ#848481

Various functions that called the nl_explode_name() function failed to check its return value for errors. As a result, applications could terminate unexpectedly after passing a NULL pointer or uninitialized values to the calling functions. The callers of nl_explode_name() have been updated to check for error conditions and fail gracefully.

BZ#808014

Previously, if the Name Service Cache Daemon (nscd) daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying A or AAAA response. This caused the nscd daemon to wait for an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL value for the entire record and DNS entries are now reloaded as expected in this scenario.

BZ#799853

The Slovak currency was set to the Slovak Crown. However, Slovakia now uses the Euro. The Slovak currency was set to the Euro.

BZ#809325

Previously, glibc did not walk through the entire list of buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire list so that memory is freed as expected and memory leaks no longer occur in this scenario.

BZ#751748

A race between the _IO_flush_all_lockp() function and pthread_cancel() function could cause a process to become unresponsive during forking. This happened because the _IO_unlock_lock macro decremented the lock count before it attempted to unlock its lock and did not check if the count contained a positive value. If the lock was never held since _IO_unlock_lock(), the macro did not release the lock due to the lock count being less than zero. With this update, the lock count is decremented only if it contains a positive value.

BZ#639000

The Ukrainian currency symbol was incorrectly set to rp. With this update, the currency symbol was corrected to rpH.

BZ#759341

A race condition existed between functions which allocated and reclaimed stacks in multi-threaded applications. As a result, some applications could enter a deadlock. The code for managing lists of stacks has been changed to publish its changes to all threads at the appropriate time. This fixes synchronization between the multiple threads and eliminates the race condition.

BZ#788989

The Name Service Cache Daemon (nscd) terminated unexpectedly if a group contained a few thousand members. This was caused by a stack overflow which resulted in a segmentation fault in nscd. With this update, when a large amount of memory is needed for a group with many members, the memory is allocated on the heap instead of the stack. This prevents the stack overflow and nscd no longer crashes in this scenario.

BZ#839572

During installation on IBM System z, Red Hat Enterprise Linux Server installer returned traceback with the following error value after the stage2 download:

ValueError: (3, 'No such process')

This was due to a workaround implementation for IBM System z in the fegetenv() function in the math.h header file. With this update, the function implementation was modified so as to follow the IEEE standard and the problem no longer occurs.

BZ#769852

A race condition between the setuid() function and the sighandler_setxid() function could result in a lock remaining unreleased. As a result, an application could remain in a deadlock. With this update, the lock is released in this scenario and proper synchronization between the threads is maintained.

BZ#843672

Prior to this update, when a multi-threaded process called the qsort() function, a race condition could occur. This could result in an uninitialized memory read and the process could receive a floating point exception or other fault condition. The race condition in the function code has been fixed and the problem no longer occurs.

BZ#766832

Calling the strncmp() function on the Power4 processors could cause the program to terminate unexpectedly. This occurred because the function occasionally attempted to read past the zero byte in certain cases. With this update, strings are aligned correctly and the function no longer attempts to read past the zero byte.

BZ#710216

The Portuguese locale (pt_PT.utf8) incorrectly used the $ character instead of the , character as its decimal point. The error has been corrected and the , character is now used as the decimal point as expected.

BZ#703239

Previously, if the /etc/resolv.conf file contained an IPv6 DNS server address with trailing spaces, the address failed to be parsed correctly and DNS lookups with the ping6 command failed. With this update, the parsing code has been corrected so as to cope with trailing spaces and the problem no longer occurs.

BZ#692182

The sysconf() function allows applications to determine values for system limits or options at runtime. The mechanism that sysconf uses to acquire various CACHE parameters previously failed to look up the requested information on Intel Xeon X5670 processors and incorrectly returned zero values. The sysconf() function has been modified to acquire the system information on these processors correctly and the problem no longer occurs.

BZ#806403

A missing check of memory allocation and an incorrect loop test in the nss/getnssent.c source file could cause an application to fail. The memory allocation check and the loop test code have been added and the problem no longer occurs.

BZ#851450

Previously, the ttyname() and ttyname_r() calls returned an error if the /proc/ directory was not mounted. Consequently, some applications did not run in the chroot environment properly. With this update, if the /proc/self/fd/ directory cannot be read, the calls iterate through devices first and only then return an error. As a result, applications which were previously failing now work correctly.

BZ#500767

The getgrent() function generated an error when it requested to read a Network Information Services (NIS) group record of 1024 bytes from the NIS master server. This happened because the function attempted to free an unallocated pointer. With this update, the free() function is not called under these circumstances and getgrent() now works as expected in this scenario.

BZ#797096

Various functions (glob_in_dir, getaddrinfo) could potentially allocate unlimited amounts of data on the stack. As a result, these functions were potential security attack vectors. With this update, these routines use malloc() when allocating large amounts of memory and the security issue is eliminated.

BZ#657266

The Finnish locale included redundant trailing spaces in month abbreviations. This could cause parsing and conversion problems when working with dates. With this update, the trailing spaces have been removed from the definition of abbreviated month format and the parsing and conversion of abbreviated month names work as expected.

BZ#657588

Abbreviated month names in the simplified Chines locale (zh_CN) contained redundant spaces, which caused incorrect output of dates. With this update, the spaces have been removed from the format definition and the system returns dates formatted correctly.

BZ#678227

The Name Service Cache Daemon (nscd) initscript was returning a non-zero exit status when a stop was requested on an already stopped daemon. However, the expected behavior is to consider the request to be successful and return the exit status of zero. The nscd initscript has been modified to handle this case correctly and set the exit status appropriately.

BZ#819430

Previously, the fnmatch() function failed and returned the -1 status code when its pattern argument contained the wildcard character * and the file name argument contained an invalid multibyte encoding character. The fnmatch() function now handles such arguments gracefully: it considers the invalid characters not to match and proceeds.

BZ#800240

If the maximum number of memory pools (arenas) used by a thread was set to 1 (MALLOC_ARENA_MAX=1), the setting was ignored and the program still used multiple pools due to incorrect logic when checking the number of pools in use and reusing pools. With this update, the underlying code has been modified and the pool setting is applied as expected.

BZ#857387

The vfprintf() function returned the ERANGE errno instead of EOVERFLOW when a string of a too long format was specified. The errno is now set correctly to EOVERFLOW in this scenario.

Enhancements

BZ#795896

A Virtual Dynamic Shared Object (VDSO) allows an application in user space to perform some kernel actions with less overhead than if using a system call. The VDSO is often used to provide fast access to the gettimeofday system call data. Support for VDSOs on the IBM System z series platform has been added to glibc.

BZ#641094

Previously, the pthread_create() function used the MAP_32BIT flag to reserve the lower 32 bits of virtual address space for thread stacks so as to provide better performance. This setting is no longer of benefit and in some cases can negatively impact performance. A patch has been backported so that pthread_create() now uses the MAP_STACK flag instead of the MAP_32BIT flag.

BZ#765710

The getaddrinfo() function returns one or more addrinfo structures, each of which contains an Internet socket address. If the hints argument to getaddrinfo() is not NULL, it specifies criteria for selecting the socket address structures to be returned. Previously, getaddrinfo() did not support the Stream Control Transmission Protocol (SCTP) hints. With this update, the getaddrinfo() function has been enhanced to accept SCTP hints.

Security Fix

CVE-2012-0864

An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.

Security Fix

CVE-2012-3406

It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.

BZ#837896

If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use iconv() (or the iconv command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. With this update, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault.

Security Fix

CVE-2012-3480

Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code.

BZ#839411

Previously, logic errors in various mathematical functions, including exp, exp2, expf, exp2f, pow, sin, tan, and rint, caused inconsistent results when the functions were used with the non-default rounding mode. This could also cause applications to crash in some cases. With this update, the functions now give correct results across the four different rounding modes.