Security Fixes

CVE-2009-5064

A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd.

CVE-2011-1089

It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file.

Bug Fixes

BZ#676467

The installation of the glibc-debuginfo.i686 and glibc-debuginfo.x86_64 packages failed with a transaction check error due to a conflict between the packages. This update adds the glibc-debuginfo-common package that contains debuginfo data that are common for all platforms. The package depends on the glibc-debuginfo package and the user can now install debuginfo packages for different platforms on a single machine.

BZ#676591

When a process corrupted its heap, the malloc() function could enter a deadlock while creating an error message string. As a result, the process could become unresponsive. With this update, the process uses the mmap() function to allocate memory for the error message instead of the malloc() function. The malloc() deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully.

BZ#692838

India has adopted a new symbol for the Indian rupee leaving the currency symbol for its Unicode U20B9 outdated. The rupee symbol has been updated for all Indian locales.

BZ#694386

The strncmp() function, which compares characters of two strings, optimized for IBM POWER4 and POWER7 architectures could return incorrect data. This happened because the function accessed the data past the zero byte (\0) of the string under certain circumstances. With this update, the function has been modified to access the string data only until the zero byte and returns correct data.

BZ#699724

The crypt() function could cause a memory leak if used with a more complex salt. The leak arose when the underlying NSS library attempted to call the dlopen() function from libnspr4.so with the RTLD_NOLOAD flag. With this update, the dlopen() with the RTLD_NOLOAD flag has been fixed and the memory leak no longer occurs.

BZ#700507

On startup, the nscd daemon logged the following error into the log file if SELinux was active:

rhel61 nscd: Can't send to audit system: USER_AVC avc:  netlink
poll: error 4#012: exe="?" sauid=28 hostname=? addr=? terminal=?

This happened because glibc failed to preserve the respective capabilities on UID change in the AVC thread. With this update, the AVC thread preservers the respective capabilities after the nscd startup.

BZ#703481, BZ#703480

When a host was temporarily unavailable, the nscd daemon cached an error, which did not signalize that the problem was only transient, and the request failed. With this update, the daemon caches a value signalizing that the unavailability is temporary and retries to obtain new data after a set time limit.

BZ#705465

When a module did not provide its own method for retrieving a user list of supplemental group memberships, the libc library's default method was used instead and all groups known to the module were examined to acquire the information. Consequently, applications which attempted to retrieve the information from multiple threads simultaneously, interfered with each other and received an incomplete result set. This update provides a module-specific method which prevents this interference.

BZ#706903

On machines using the Network Information Service (NIS), the getpwuid() function failed to resolve UIDs to user names when using the passwd utility in the compat mode with a big netgroup. This occurred because glibc was compiled without the -DUSE_BINDINGDIR=1 option. With this update, glibc has been compiled correctly and getpwuid() function works as expected.

BZ#711927

A debugger could have been presented with an inconsistent state after loading a library. This happened because the ld-linux program did not relocate the library before calling the debugger. With this update, the library is relocated prior to the calling of the debugger and the library is accessed successfully.

BZ#714823

The getaddrinfo() function internally uses the simpler gethostbyaddr() functions. In some cases, this could result in incorrect name canonicalization. With this update, the code has been modified and the getaddrinfo() function uses the gethostbyaddr() functions only when appropriate.

BZ#718057

The getpwent() lookups to LDAP (Lightweight Directory Access Protocol) did not return any netgroup users if the NIS (Network Information Service) domain for individual users was not defined in /etc/passwd. This happened when the nss_compat mode was set as the mode was primarily intended for use with NIS. With this update, getpwent returns LDAP netgroup users even if the users have no NIS domain defined.

BZ#730379

The libresolv library is now compiled with the stack protector enabled.

BZ#731042

The pthread_create() function failed to cancel a thread properly if setting of the real time policy failed. This occurred the because __pthread_enable_asynccancel() function as a non-leaf function did not align the stack on the 16-byte boundary as required by AMD64 ABI (Application Binary Interface). With this update, the stack alignment is preserved accros functions.

BZ#736346

When calling the setgroups function after creating threads, glibc did not cross-thread signal and supplementary group IDs were set only for the calling thread. With this update, the cross-thread signaling in the function has been introduced and supplementary group IDs are set on all involved threads as expected.

BZ#737778

The setlocale() function could fail. This happened because parameter values were parsed in the set locale. With this update, the parsing is locale-independent.

BZ#738665

A write barrier was missing in the implementation of addition to linked list of threads. This could result in the list corruption after several threads called the fork() function at the same time. The barrier has been added and the problem no longer occurs.

BZ#739184

Statically-linked binaries that call the gethostbyname() function terminated because of division by zero. This happened because the getpagesize() function required the dl_pagesize field in the dynamic linker's read-only state to be set. However, the field was not initialized when a statically linked binary loaded the dynamic linker. With this update, the getpagesize() function no longer requires a non-zero value in the dl_pagesize field and falls back to querying the value through the syscall() function if the field value is not set.

Enhancements

BZ#712248

For some queries, the pathconf() and fpathconf() functions need details about each filesystem type: mapping of its superblock magic number to various filesystem properties that cannot be queried from the kernel. This update adds support for the Lustre file system to pathconf and fpathconf.

BZ#695595

The glibc package now provides functions optimized for the Intel 6 series and Intel Xeon 5600 processors.

BZ#695963

The glibc package now supports SSE2 (Streaming SIMD Extensions 2) instructions on the strlen() function for the AMD FX processors.

BZ#711987

This update adds the f_flags field to support the statvfs output received from kernel.

BZ#738763

The Linux kernel supports the UDP IP_MULTICAST_ALL socket option, which provides the ability to turn off IP Multicast multiplexing. This update adds the option to glibc.

BZ#712125

Under certain circumstances, a threaded process could have been granted incomplete group membership of the user which was running the process. This was caused by glibc using its default method for group membership determination, which led to a situation in which multiple threads interfered with each other while attempting to retrieve information simultaneously. Due to the nature of the group membership determination method used, each thread ended up with a different subset of the entire result set. With this update, the group membership determination method has been modified to precede this interference.

BZ#712407

When a process corrupted its heap, the malloc() function could have entered a deadlock situation while building up an error message string. This caused the process unresponsive. With this update, the code has been modified to use the mmap() function to allocate memory for the error message. This workaround ensures that the malloc() deadlock no longer occurs when allocating memory for an error message when the corrupted process heap is detected, and such a process is now normally aborted.

BZ#712411

Prior to this update, the Name Service Caching Daemon (nscd) did not clear the host cache effectively when repopulating its values. The code has been modified to schedule nscd cache pruning more accurately.

BZ#715387

Previously, nscd did not take into consideration time-to-live (TTL) parameters for the DNS records it was caching. With this update, the code has been modified so that nscd now respects TTL parameters when it answers requests for DNS records.