Patch Name: PHCO_12424 Patch Description: s700_800 10.30 libc cumulative patch Creation Date: 97/10/29 Post Date: 97/11/10 Warning: 98/01/02 - This Critical Warning has been issued by HP. - Patch PHCO_12424 introduced changes to the memccpy() routine that has can cause any application using stdio routines to core dump. This behavior has been experienced with standard HP-UX commands, such as grep(1) and sccs(1). - The problem is also present in patch PHCO_13347, which superseded PHCO_12424. - The problem has been corrected in patch PHCO_13674, which is being released today. It is recommended that PHCO_12424 and PHCO_13347 be removed from any system on which they were installed. PHCO_13674 should be installed as soon as possible. Hardware Platforms - OS Releases: s700: 10.30 s800: 10.30 Products: N/A Filesets: OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-AUX ProgSupport.PROG-MIN Automatic Reboot?: No Status: General Superseded With Warnings Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_12424 Symptoms: PHCO_12424: The problem is within memccpy(3C) using memchr(3C). If memchr(3C) finds, e.g., '\0' at address 0x00000000, it returns 0; it did not find '\0' at all. The fputs(3S) system call does not handle this well as prior to 10.20, e.g., fputs(NULL, fp) would to 10.20, e.g., fputs(NULL, fp) would not work correctly in this case. DTS# DSDe438042, SR# 1653222620 Output directed to stderr may be corrupted when an application opens files for non-buffered i/o by calling setbuf() with the _IONBF flag. The symptom is likely to manifest only in multi-threaded applications. DSDe437356. Due to an incorrect definition of LONG_LONG_MIN in limits.h, a comparison with LONG_LONG_MIN is not guaranteed to produce the correct result as the value of LONG_LONG_MIN is larger than what it is expected to be. DTS DSDe437497 The customer using Spanish locale (or any locale with 2 to 1 mapping) along with any patch which includes Swedish Police patch(PHCO_11027) will see incorrect collation. Other customers will never see this problem. DTS# DSDe436983, SR# 1653214346 Fixed potential buffer overrun. Non-root users of rlogin get the error message: "rlogind: /dev/pts/1: Permission denied." if configured in /etc/inetd.conf with the -l option. DTS INDaa28226, SR 4701364653 The APIs ecvt/fcvt return different values for the decimal point index on certain boundary conditions between Sacramento and Roseville releases. DTS DSDe438432. In a customer application, regcomp(3C) followed by regexec(3C) returns an unexpected "no match" value when the locale is set to non-C locale. DSDe437259, SR 1653215186. If an application that uses message catalogs is run in an environment where NLSPATH is set incorrectly (eg. NLSPATH="/tmp" ,where the NLSPATH element /tmp does not specify a filename template) the application may run out of file descriptors. DSDe435212, SR 1653208355. ctime_r() may fail intermittently in a multi-threaded application. DSDe433684. An application calling sleep() without establishing a SIGALRM handler terminates if the sleep() is interrupted by a SIGALRM. DSDe434618. SR 4701358556. Use of snprintf() can cause a buffer overflow. DSDe436686. No reported symptoms - this is a proactive patch. DTS DSDe436555. The API makecontext() in libc doesn't work for Release 10.30 systems running on 64-bit hardware only. The application using this API would generate memory fault for Release 10.30 systems running on 64-bit hardware. For 32-bit platform, the API executes successfully. DSDe435355. Executables which redefine certain reserved words may interfere with some library operations. DTS DSDe435430. Concurrent calls to fread() (or other stdio input functions)on unbuffered or line buffered files can lead to a deadlock in libc in a multi-threaded application. DSDe435666, DSDe435913, JAGaa00772, DSDe439204, SR 1653211490, SR 1653228528. Defect Description: PHCO_12424: If memccpy(3C) uses memchr(3C), and that returns NULL, memccpy(3C) needs to check if that NULL means the character is indeed found at address NULL, or if it means the character is not found at all. Incorrect internal buffer allocation can lead to an overlap between the stderr buffer and other internal buffers when files are opened for non-buffered i/o. LONG_LONG_MIN was defined to be -9223372036854775808LL in limits.h. The minus sign in front of the number 9223372036854775808LL is a unary operator. The constant next to it is already larger than LONG_LONG_MAX, hence it is promoted to the next possible larger data type which is unsigned long long. The fix is to change the definition to (-9223372036854775807LL -1). The trimming off of common prefix from string before collation causes problem in Spanish locale becuase it has 2 to 1 mapped collation element. e.g "ch" should map after "co" but if commona prefix "c" is removed, "h" will map before "o" which is incorrect. N/A The effective user and group id are set incorrectly in the call ruserok() when rlogind is invoked with an option "-l". Passing a negative value for "ndigits" to ecvt or fcvt will cause them to return different values for the decimal point index between Sacramento and Roseville. This patch changes the Sacramento behavior to conform to Roseville. This behavior is undocumented in the standards and man pages. A local data item was not being initialized properly. An incorrect setting of NLSPATH, eg. NLSPATH="/tmp" causes catopen() to leave open file descriptors behind. As a result, applications that frequently call catopen() with an incorrectly set NLSPATH can run out of file descriptors. ctime_r() was incorrectly parsing the TZ variable, leading to incorrect conversion. An application calling sleep() without establishing a SIGALRM handler terminates if the sleep() is interrupted by a SIGALRM. snprintf() fails to check boundary conditions. Potential for data corruption/crashing in dbm_open is called with a filename which is too long. The defect is due to incorrect typecasting of pointers to 32-bit value in makecontext() API. To reproduce this problem, run the application using makecontext() API in a Release 10.30 system running on 64-bit hardware. The makecontext() API is very rarely used API. If there are any applications installed on the 10.30 system known to be using makecontext() API, then patch needs to be installed. Executables which redefine certain reserved words may interfere with some library operations. Incorrect locking order in libc can lead to deadlocks while reading unbuffered or line buffered files. SR: 4701364653 1653215186 1653208355 4701358556 1653214346 1653211490 1653228528 1653222620 Patch Files: /usr/lib/libc.a /usr/lib/libp/libc.a /usr/lib/libpicc.a /usr/lib/libc.2 what(1) Output: /usr/lib/libc.a: PATCH/10.30:PHCO_12424 libc.a_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/archive_pa1/libc.a_ID Oct 29 1997 16:42:13 /usr/lib/libp/libc.a: PATCH/10.30:PHCO_12424 libc.a_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/profiled_pa1/libc.a_ID Oct 29 1997 17:07:44 /usr/lib/libpicc.a: PATCH/10.30:PHCO_12424 libc.2_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/shared_pa1/libc.2_ID Oct 29 1997 16:55:03 /usr/lib/libc.2: PATCH/10.30:PHCO_12424 libc.2_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/shared_pa1/libc.2_ID Oct 29 1997 16:55:03 cksum(1) Output: 3139667202 2100514 /usr/lib/libc.a 4286584548 2246790 /usr/lib/libp/libc.a 1762833906 2181646 /usr/lib/libpicc.a 952407948 1368064 /usr/lib/libc.2 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: None Patch Package Size: 7770 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_12424 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_12424.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHCO_12424.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_12424. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_12424.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_12424.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: If libc patches are installed without rebooting, applications currently running which are linked shared against libc will still continue using the former version of libc. If this presents a problem to any applications, you should reboot.