Patch Name: PHCO_13917 Patch Description: s700_800 10.10 libc cumulative patch Creation Date: 98/01/26 Post Date: 98/02/13 Hardware Platforms - OS Releases: s700: 10.10 s800: 10.10 Products: N/A Filesets: OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-MIN ProgSupport.PROG-AUX OS-Core.UX-CORE Automatic Reboot?: No Status: General Superseded Critical: No (superseded patches were critical) PHCO_8763: CORRUPTION Path Name: /hp-ux_patches/s700_800/10.X/PHCO_13917 Symptoms: PHCO_13917: Calling perror(string) with the length of string plus the message larger than 1024 will cause coredump. DTS # JAGaa01178, JAGaa01166. PHCO_12198: Concurrent calls to fread() (or other stdio input functions)on unbuffered or line buffered files can lead to a deadlock in libc in a multi-threaded application. DSDe435666, DSDe435913, JAGaa00772, DSDe439204, SR 1653211490, SR 1653228528 Non-root users of rlogin get the error message: "rlogind: /dev/pts/1: Permission denied." if configured in /etc/inetd.conf with the -l option. DTS INDaa28226, SR 4701364653 NIS netgroups are searched recursivly causing poor performance when netgroups are nested. DTS # INDaa27824, SR 5003377606. The getrpcent(3c) routine may exhibit the following problems: (1) If NIS is not running a coredump may occur. (2) May enter an infinite loop, i.e appears to hang while reading the NIS map. DTS # INDaa27020, SR # 5003362624. PHCO_11819: In a customer application, regcomp(3C) followed by regexec(3C) returns an unexpected "no match" value when the locale is set to non-C locale. DSDe437259, SR 1653215186. No reported symptoms. DSDe436555. The getrpcent(3c) routine may exhibit the following problems: (1) If NIS is not running a coredump may occur. (2) May enter an infinite loop, i.e appears to hang while reading the NIS map. DTS # INDaa27020, SR # 5003362624. Memory leak in getservbyname. DTS# INDaa26623, SR# 5003358762. Output directed to stderr may be corrupted when an application opens files for non-buffered i/o by calling setbuf() with the _IONBF flag. The symptom is likely to manifest only in multi-threaded applications. DSDe437356. PHCO_10384: strcat() may core dump when the last word of the source string is at the page boundary. SR 5003302299, DSDe434239, DSDe427804. For regcomp/regexec, "^ *$" and similar patterns in non-C locales will incorrectly match lines with newlines in them. DSDe434345, SR 1653204651. When sleep is interrrupted by a signal, the returned value of time remaining may be greater than the original request. DSDe429933, SR 5003326272. The memcmp(3c) may core dump at page boundary. DSDe433356, SR 4701344721. February 29, 2000 is rejected as a valid date by the getdate(3c) library call. DSDe434241, DSDe430766; SR #s 1653203026, 4701334763. The getdate(3c) would set getdate_err to "no matching template entry" (7) instead of "invalid input specification" (8) for dates outside the range of the time_t data type. This has been fixed. DSDe434270 PHCO_10028: Unaccaptable degradation of collation using swedish language. DSDe432108, SR1653192161. Regular expression pattern ".*" behaves incorrectly in Japanese locale. DSDe433097. PHCO_8981: The libc routine ulckpwdf always returns -1. As a result, the /etc/.pwd.lock can not be unlocked. DSDe431142, SR5003338038. Memory leak in globfree(). DSDe431962, SR5003344192. If given weekday is the same as today and within the last 7 days of the month, getdate() would return an Error 8. DSDe431143, SR1653185629. In non-C locales, non-blank lines would match pattern ^$ for regcomp(). DSDe431505 DSDe432126. User applications hit a limit of 1023 for number of sets in a message catalog. DSDe431644, SR5003341271. Call to tempnam(), mktemp() and mkstemp() sometimes returned a dangling symlink as the name for a temporary file. SR1653189134. The strptime and getdate calls did not handle two digit year specifications in the same manner. This has been addressed by providing strptime and getdate with an alternative behavior for dealing with two digit year specifications. In order to obtain the alternative behavior, which interprets two-digit year values in the range 66-99 to refer to the twentieth century and values in the range 00-68 to refer to the twenty-first century, the executable must link with the supplied object file, /usr/lib/year2000.o. Existing executables will continue to get the compatible behavior. DSDe430766, SR4701334763. The getdate() routine fails with a signal 11 segmentation violation when accessing a datemask file that contains a very large number of alternative date formats. DSDe429925, SR1653176883. PHCO_8763: Random truncaton of strings with strcat due to fix attempted in PHCO_8369. PHCO_8369: Significant performance degradation of regular expression processing in 10.X compared to 9.x. Affects awk, grep, sed, etc. The readdir() call may inadvertently call a user-defined routine. getcwd returns EINVAL when a negative buflen is passed in. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. Sometimes strcat would attempt to access an unmapped page of memory. - The group permissions of the parent directory of the home directory does not have to be set for "all" for the ".rhosts" check to succeed. The "rhosts" check changes the effective group id to the real group id before opening ".rhosts" file. - ruserok() did not properly parse the username in hosts.equiv. PHCO_7799: Runtime message catalog functions only support 255 message groups. When customer runs command: setprivgrp -g LOCKRDONLY, the NIS system hangs. regexec does not find pattern "(a*|b)c" in input "c" Call to setlocale() caused LC_ALL string to become corrupt. If the ndots resolver option is configured in /etc/resolv.conf and res_init() is directly or indirectly called, a memory leak will occur. Applications using gethost*() API's or directly using resolver API's (res_*()) in a DNS environment are open to this problem. "$^" with REG_NEWLINE matches all lines, not just empty. PHCO_6809: Undocumented behavior for strncpy was missing. qsort performs very badly on sorted blocks of data - customer found that qsort on a file with 100,000 randomly sorted records took seconds, whereas a file of 100,000 records containing large sorted blocks took over an hour to sort. Under certain circumstances, a regcomp(3) memory leak causes an Uninitialized Memory Read from withing regfree(3). On 10.10 a call to fileno() with a NULL parameter simply returns NULL - that is until you have linked in libdce.sl which enables the thread safe version of fileno which core dumps when passed a NULL parameter. getutent_r, getutid_r, and getutline_r tests core dumped. Repeated calls to setlocale(3c) expose a memory leak. yp_bind routine doesn't time out, and will try forever if the server is not found. PHCO_6777: Also to fix the return value of sysconf() there are changes being made there. On 10.10 a call to fileno() with a NULL parameter simply returns NULL - that is until you have linked in libdce.sl which enables the thread safe version of fileno which core dumps when passed a NULL parameter. PHCO_6596: Under some circumstances registers were not being properly saved prior to calling signal handlers. setcontext() occasionally returns 100 to indicate success. Changes to always return 0 for success as required by Standards. Multiple calls to gettxt() would result in a "too many open files" error. telldir() returns an incorrect offset zero for the end of directory record. strptime(3c) does not return the correct information for 12:xx am. Includes change to getpwent.c in function matchname() so that it returns 1 instead of 0 if it finds the name under the MINUS section. Also includes change to getgrent.c so that interpret will stop processing if it finds a MINUS as part of the name. Defect Description: PHCO_13917: The size of the string, passed to perror, plus message was not checked and could have become larger than the size of the allocated output buffer. In such situations perror would have coredumped. PHCO_12198: Incorrect locking order in libc can lead to deadlocks while reading unbuffered or line buffered files. The effective user and group id are set incorrectly in the call ruserok() when rlogind is invoked with an option "-l". If netgroups are nested this causes the NIS netgroup files to be recursively searched, causing poor performance. The proper error checks were not in place for getrpcent(3c). PHCO_11819: A local data item was not being initialized properly. Potential for data corruption/crashing in dbm_open is called with a filename which is too long. The proper error checks were not in place for getrpcent(3c). NIS getservbyname() memory leak. Incorrect internal buffer allocation can lead to an overlap between the stderr buffer and other internal buffers when files are opened for non-buffered i/o. PHCO_10384: strcat() prefetches word before doing shift and concatenation. A check for end of string should be performed before the prefetch since the prefetched word may be across the page boundary. This is now fixed. The non-C locale code continued to check beyond the terminating null character. Due to sleep being required to sleep at least the requested amount, the returned value may be more than the original request due to rounding. memcmp tried to prefetch words from outside of valid memory page and this might cause memory core dumps. The prefetching of invalid memory words was caused by incorrect calculation of number of words to fetch and compare. This is fixed now. The leap year algorithm was incorrect for getdate(3c). The check for the range of the input date was wrong for getdate(3c). PHCO_10028: Unaccaptable degradation of collation using swedish language. Regular expression pattern ".*" behaves incorrectly in Japanese locale. PHCO_8981: If you lock /etc/.pwd.lock using lckpwdf, there is no way to determine that it was unlock, because ulckpwdf always returns -1. Allocated memory was not properly free'd by globfree() after use. The day of the month was being improperly adjusted for the case when the day of the week matched today. Pattern map was set such that it would continue matching past end of pattern. The maximum number of message sets allowed in a message catalog was not high enough; it has been increased to 65535. The tempnam(), mktemp() and mkstemp() APIs did not check for a dangling symlink before returned it and this has been fixed now. The strptime and getdate calls were not consistent in the manner in which they handled two digit year specifications. When a very large template file is used, and the getdate() routine has to search far into the file to find a matching format specifier, getdate() overran the allocated array. PHCO_8763: The fix for strcat's page boundary problem caused truncation of some strings. PHCO_8369: Poor performance of 10.X regular expression processing in comparison to 9.x. The readdir() call failed to call the primary definition of a public routine. According to X/Open, getcwd takes a second argument of type of size_t and returns EINVAL only when the second argument is 0. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. The strcat call didn't handle an optimized pre-fetching strategy properly, causing the read of bytes belonging to unmapped pages. 1. The "rhosts" check fails if the parent directory of the user's home directory does not have the right group permissions. Consider the case where the parent directory has permissions "710". /home - permissions rwx--x--- /home/student - permissions rwx------ - The directories home and student belong to the same group. The "rhosts" check fails when a remote user tries to login as "student". - This is because, the ruserok() routine does not change the effective group id to the real group id before opening ".rhosts" file. 2. Usernames in the host.equiv file are improperly parsed. - The ruserok() code now exhibits the expected and documented behavior. PHCO_7799: Add runtime support for message sets 256 thru 1023. Problem is in yp_bind.c. The second function call to flock() has a syntax error in the parameter list. The first call to flock() is correct. When this command is given the second function call to flock() is in code which is only invoked when Talk2_binder() is called. Then it hangs. Fix pmap array needed to be set true for alternation case when isfirst set to 0, since it was getting lost on next expression for case of echo c | grep -E '(a*|b)c' A previous fix for a setlocale() memory leak releases storage for LC_ALL string before it is appropriate. The implementation has been changed to use an internal static buffer. res_init() leads to the processing of the ndots option. In processing the ndots value a routine was called that could generate a recursive loop back to res_init(). During the recursive loop a memory leak would be generated. The code has been redesigned to avoid this loop condition. "$^" with REG_NEWLINE matches all lines, not just empty, caused by incorrect fix for DSDe427572. PHCO_6809: Added support back for an undocumented strncpy behavior which had been previously removed for performance reasons. qsort needed to pick an alternate pivot point when detecting sorted or partially sorted data in order to improve poor performance. When regcomp(3) returns the following error: ?, *, or + not preceded by valid regular expression the regex_t structure argument has already had memory allocated to it,resulting in a memory leak. If regfree(3) is called in this case, the result is a Uninitialized Memory Read from withing regfree. The thread-safe version of fileno() is trying to dereference a NULL pointer. endutent_r() and endutxent_r() assumed that a key had been created. This assumption is not valid, and checks have been put in to determine what action to take. Repeated calls to setlocale(3c) expose a memory leak. yp_bind was changed to retry 4 times, then timeout and quit if no success. PHCO_6777: Bug in sysconf(). The thread-safe version of fileno() is trying to dereference a NULL pointer. PHCO_6596: Multiple calls to gettxt() would result in a "too many open files" error. telldir() returns an incorrect offset zero for the end of directory record. strptime(3c) does not return the correct information for 12:xx am. Includes change to getpwent.c in function matchname() so that it returns 1 instead of 0 if it finds the name under the MINUS section. Also includes change to getgrent.c so that interpret will stop processing if it finds a MINUS as part of the name. SR: 1653159293 5003294843 5003291716 5003290056 5003320648 1653174425 4701309294 1653155929 1653169615 5003338038 5003344192 1653185629 5003341271 1653189134 4701334763 1653176883 1653192161 1653204651 5003326272 4701344721 1653203026 5003302299 1653215186 5003362624 5003358762 1653211490 1653228528 4701364653 5003377606 5003362624 Patch Files: /usr/lib/.unix95/context.o /usr/lib/libc.a /usr/lib/libp/libc.a /usr/lib/libpicc.a /usr/lib/year2000.o /usr/lib/libc.1 what(1) Output: /usr/lib/.unix95/context.o: None /usr/lib/libc.a: /usr/lib/libc.a: PATCH/10_10 PHCO_13917 $Revision: 76.162.1.14.1.60 $ : /usr/lib/libp/libc.a: /usr/lib/libp/libc.a: PATCH/10_10 PHCO_13917 $Revision: 76.162.1.14.1.60 $ : /usr/lib/libpicc.a: /usr/lib/libpicc.a: PATCH/10_10 PHCO_13917 $Revision: 76.162.1.14.1.60 $ : /usr/lib/year2000.o: None /usr/lib/libc.1: /usr/lib/libc.1: PATCH/10_10 PHCO_13917 $Revision: 76.162.1.14.1.60 $ : cksum(1) Output: 3434809032 1356 /usr/lib/.unix95/context.o 355925667 2277136 /usr/lib/libc.a 991453917 2496206 /usr/lib/libp/libc.a 2199576147 2388776 /usr/lib/libpicc.a 2118072638 700 /usr/lib/year2000.o 1759527304 1712128 /usr/lib/libc.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_6596 PHCO_6777 PHCO_6809 PHCO_7799 PHCO_8369 PHCO_8763 PHCO_8981 PHCO_10028 PHCO_10384 PHCO_11819 PHCO_12198 Equivalent Patches: None Patch Package Size: 8730 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_13917 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_13917.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHCO_13917.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_13917. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_13917.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_13917.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None