sdkp3-glibc

Security update for glibc

Several security issues were fixed: * CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. * CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. * CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. * CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. * CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). * CVE-2010-0015: Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called "adjunct passwd" table, mangling it with the rest of passwd columns instead of keeping it in the shadow table. Normally, Solaris will disclose this information only to clients bound to a priviledged port, but when nscd is deployed on the client, getpwnam() would disclose the password hashes to all users. New mode "adjunct as shadow" can now be enabled in /etc/default/nss that will move the password hashes from the world-readable passwd table to emulated shadow table (that is not cached by nscd). Some invalid behavior, crashes and memory leaks were fixed: * nscd in the paranoia mode would crash on the periodic restart in case one of the databases was disabled in the nscd configuration. * When closing a widechar stdio stream, memory would sometimes be leaked. * memcpy() on power6 would errorneously use a 64-bit instruction within 32-bit code in certain corner cases. * jrand48() returns numbers in the wrong range on 64-bit systems: Instead of [-231, +231), the value was always positive and sometimes higher than the supposed upper bound. * Roughly every 300 days of uptime, the times() function would report an error for 4096 seconds, a side-effect of how system calls are implemented on i386. glibc was changed to never report an error and crash an application that would trigger EFAULT by kernel (because of invalid pointer passed to the times() syscall) before. * getifaddrs() would report infiniband interfaces with corrupted ifa_name structure field. * getgroups(-1) normally handles the invalid array size gracefully by setting EINVAL. However, a crash would be triggered in case the code was compiled using "-DFORTIFYSOURCE=2 -O2". * Pthread cleanup handlers would not always be invoked on thread cancellation (e.g. in RPC code, but also in other parts of glibc that may hang outside of a syscall) - glibc is now compiled with -fasynchronous-unwind-tables. Some other minor issues were fixed: * There was a problem with sprof<->dlopen() interaction due to a missing flag in the internal dlopen() wrapper. * On x86_64, backtrace of a static destructor would stop in the _fini() glibc pseudo-routine, making it difficult to find out what originally triggered the program termination. The routine now has unwind information attached. * glibc-locale now better coexists with sap-locale on upgrades by regenerating the locale/gconv indexes properly. Security Issue references: * CVE-2010-3847 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847> * CVE-2010-3856 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856> * CVE-2010-0830 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830> * CVE-2010-0296 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296> * CVE-2008-1391 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1391> * CVE-2010-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015> security glibc-dceext x86_64 e48f483f50e493537e6264a334df0edffc1efce7 glibc-dceext-32bit x86_64 66fba1d02d7df0f870473ba75ec019f321653f0d glibc-html x86_64 8d58939d96de7200620b78a731cfb381ab794aee glibc-profile x86_64 8eaae9139ab81a73c660ba93b4d2c22966e7b1a6 glibc-profile-32bit x86_64 11cafd88e979ee11827553c45142361e8a7ba1f2