Patch Name: PHCO_14511 Patch Description: s700_800 10.20 libc cumulative patch Creation Date: 98/03/12 Post Date: 98/03/20 Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: N/A Filesets: OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-MIN ProgSupport.PROG-AUX Automatic Reboot?: No Status: General Superseded Critical: No (superseded patches were critical) PHCO_13189: CORRUPTION PHCO_8108: CORRUPTION Path Name: /hp-ux_patches/s700_800/10.X/PHCO_14511 Symptoms: PHCO_14511: strcoll() core dumps when LANG is set to C and LC_COLLATE is set to a different value(e.g. swedish.) DSDe442035 Customers using their own versions of malloc() and free() would notice free() being called twice on the same block of memory while using glob(). JAGaa01494 memccpy() doesn't detect the value of 0 at address 0. JAGaa01280 regcomp() dumps core, instead of returning error, when dealing with some non-recognizable expression. JAGaa01396, JAGaa01496, JAGaa01497 strptime(3C) does not calculate the week number correctly when the first day of the year is a Sunday (for %U and %W) or a Monday(for %W). JAGaa00976 SR 1653231456 PHCO_14199: When the customer program containing calls to endpwent() is run in NIS environment, a memory leak is observed. After several days of running, the program is unable to continue due to an out-of-memory condition. JAGaa01175, SR 5003395673. The problem was introduced in cumulative libc patch PHCO_13029. Applications that 1) call fork() and 2) implement their own version of the malloc functions will not link with libc.a. For example, the link editor would print the following messages when an application (mymalloc.c), that implements its own version of malloc() and free(), is compiled: cc: Entering Link editor. /usr/ccs/bin/ld: Duplicate symbol "malloc" in files mymalloc.o and /usr/lib/libc.a(malloc.o) /usr/ccs/bin/ld: Duplicate symbol "free" in files mymalloc.o and /usr/lib/libc.a(malloc.o) /usr/ccs/bin/ld: Found 2 duplicate symbol(s). JAGaa01398. On some methods the first call to the API iconv_close(3C) on a conversion descriptor deallocates the codesets for all the opened conversion descriptor with the same "fromcode" and "tocode" arguments. In other words, if there are two descriptors by calling iconv_open() twice with the same "fromcode" and "tocode", upon closing the first descriptor any operation on the second descriptor will cause a core dump. JAGaa00931 JAGaa00932. PHCO_13777: When the length of the environment variable LANG is longer than 1024 (MAXPATHLEN), catopen(3C) caused core dump. DTS JAGaa01290. When users with an expired password tries to log in on the console, they get usage message from the passwd command: "usage: passwd [-F file] [name]". DTS JAGaa00533, SR 5003380394. When more than 435 processes are registered with portmap(3c) and a request for PMAPROCDUMP is made via UDP, portmapper hangs. SR 1653236562, DTS INDaa29151. PHCO_13775: After a call to the malloc(3C) api which fails with an ENOMEM error, in some corner cases with certain mallopt(3c) smaller allocations subsequently return errors even when there is enough memory available for the allocation. DTS #: JAGaa01179 Causes automountd to dump core when it tries to mount from an off-line server. DTS #: INDaa29523 This patch is part of the 10.20 ACE 2 bundle which adds networking enhancements to 10.20. New networking features supported in ACE 2 include NFS Version 3.0, AutoFS and CacheFS. DTS #: DSDe441184, STARS #: 4701378117 NIS map transfer fails due to transfer timeout on slave as a direct result of an inefficient method of scanning a sparse DBM database. DTS #: JAGaa01111 JAGaa01150, SR # : 5003392126 PHCO_13626: 10.20 strcoll performance is bad compared to 9.x for spanish locale and other single byte locales. DSDe436357, SR 1653214346. Calling perror(string) with the length of string plus the message larger than 1024 will cause coredump. DTS # JAGaa01178, JAGaa01166. Telnet connection requests hang but connect if tried again. INDaa29426, SR 1653242040. PHCO_13399: Regular expressions pattern matching fails for UTF8 locales. As a result of this, commands like grep and ls will not be able to match patterns written for UTF8 correctly. JAGaa01146, JAGaa01147, JAGaa01151. PHCO_13282: The fix for SR 5003392126, DTS JAGaa01111 caused the following symptom: If dbm_nextkey() is called after a datum with a NULL dptr field has been returned from either dbm_firstkey() or dbm_nextkey(), an infinite loop occurs. This fix was rolled back. JAGaa01185. PHCO_13189: The API getlogin() returns invalid results for user names of 8 characters in some cases. JAGaa01154, SR 4701374512. The wcswidth(3c) API depends on methods/locales to return a value 0 for an empty wide string. Sometimes a locale would return a value other than 0 for an empty wide string. JAGaa00448, SR 4701374470. PHCO_13029: NIS map transfer fails due to transfer timeout on slave as a direct result of an inefficient method of scanning a sparse DBM database. SR 5003392126, DTS JAGaa01111. The performance of strcoll is bad for multi-byte locales when compared to 9.x performance. SR 1653192724, DSDe432158. PHCO_12673: Alternate regular expressions with anchored non-first subexpression fail to match if don't use parenthesis. DTS# JAGaa00523 PHCO_12448: The memmove(3C) api is slow when moving data to the right, as in memmove(c+1,c,249). DTS# DSDe433981, JAGaa00518, SR# 5003355867 The last patch PHCO_12128 breaks the correct functionality of spanish locale collation for strcoll and strxfrm. This patch fixes that problem. DTS# JAGaa00792. Signal mask is not restored after calling free when mallopt(M_BLOCK,0) has been set. Only happens on multiple calls to free for the same pointer. DTS# JAGaa00773, JAGaa00489, DSDe424072; SR# 1653228304 1653119560 Non-root users of rlogin get the error message: "rlogind: /dev/pts/1: Permission denied." if configured in /etc/inetd.conf with the -l option. DTS# INDaa28226, SR# 4701364653 PHCO_12128: NIS netgroups are searched recursivly causing poor performance when netgroups are nested. DTS # INDaa27824, SR# 5003377606. The API seekdir() fails to position the next readdir() operation for certain nfs directory. DTS# DSDe431565 The customer using strcoll(3c) with single byte locale and experiencing performance problem. DTS# DSDe436357, SR# 1653214346 In a customer application, regcomp(3C) followed by regexec(3C) returns an unexpected "no match" value when the locale is set to non-C locale. DSDe437259, SR 1653215186. Output directed to stderr may be corrupted when an application opens files for non-buffered i/o by calling setbuf() with the _IONBF flag. The symptom is likely to manifest only in multi-threaded applications. DSDe437356. No reported symptoms - this is a proactive patch. DSDe436555. PHCO_11315: The customer using Spanish locale ( or any locale with 2 to 1 mapping) along with any patch which includes patch number PHCO_10027 will see incorrect colla- tion. Other customers will never see this problem. DTS # DSDe436983, SR 1653214346. User applications calling catopen() may run out of file descriptors. DTS # DSDe435212, SR 1653208355. PHCO_11004: In multi-threaded application, if one thread is waiting on a read which won't complete (e.g., stdin or a stalled pipe) and another calls thread calls exit() or abort, the application would hang. DTS # DSDe435666, SR 1653211490. The group permissions of the parent directory of the home directory does not have to be set for "all" for the ".rhosts" check to succeed. The "rhosts" check changes the effective group id to the real group id before opening ".rhosts" file. Also, ruserok() did not properly parse the username in hosts.equiv. DTS # INDaa22946 INDaa21768; SR # 5003297861, 5003274753. User applications calling catopen() may run out of file descriptors. DTS # DSDe435212, SR 1653208355. Memory leak in getservbyname. DTS# INDaa26623, SR# 5003358762. strcat() may core dump when the last word of the source string is at the page boundary. SR 5003302299, DSDe434239, DSDe427804. For regcomp/regexec, "^ *$" and similar patterns in non-C locales will incorrectly match lines with newlines in them. ^$ pattern and empty strings won't match when they should in non-C locales. A pattern with ^ in the C-locale and with REG_NEWLINE set will not consider newlines further down the string. DSDe434345, DSDe434746, DSDe434752; SR 1653204651, SR 4701349118. February 29, 2000 is rejected as a valid date by the getdate(3c) library call. DSDe434241, DSDe430766; SR #s 1653203026, 4701334763. The getdate(3c) would set getdate_err to "no matching template entry" (7) instead of "invalid input specification" (8) for dates outside the range of the time_t data type. This has been fixed. DSDe434270 PHCO_10027: Unaccaptable degradation of collation using swedish language. DSDe432108, SR1653192161. Regular expression pattern ".*" behaves incorrectly in Japanese locale. DSDe433097. The memcmp(3c) may core dump at page boundary. DSDe433356, SR4701344721. Applications built archived on release 10.20 will use the wrong locale libraries for the C locale if they are executed on a future HP-UX release. The result is unpredictable. Existing applications built with the archived libc in 10.20 need to be rebuilt with a libc that contains this patch if they are to be be moved forward to a post-10.20 HP-UX release to ensure that they use the correct locale libraries for the C locale on the new release. Existing 10.20 applications built shared do not have to be rebuilt with the patch to be migrated to a future HP-UX release. DSDe432519. PHCO_9577: When customer runs command: setprivgrp -g LOCKRDONLY, the NIS system hangs. INDaa24394, SR5003320648. This fix was intended for PHCO_8979, but was inadvertently left out. PHCO_8979: The libc routine ulckpwdf always returns -1. As a result, the /etc/.pwd.lock can not be unlocked. DSDe431142, SR5003338038. Memory leak in globfree(). DSDe431962, SR5003344192. If given weekday is the same as today and within the last 7 days of the month, getdate() returns an Error 8. DSDe431143, SR1653185629. In non-C locales, non-blank lines would match pattern ^$ for regcomp(). DSDe431505 DSDe432126. User applications hit a limit of 1023 for number of sets in a message catalog. DSDe431644, SR5003341271. Call to tempnam(), mktemp() and mkstemp() sometimes returned a dangling symlink as the name for a temporary file. SR1653189134. The strptime and getdate calls did not handle two digit year specifications in the same manner. This has been addressed by providing strptime and getdate with an alternative behavior for dealing with two digit year specifications. In order to obtain the alternative behavior, which interprets two-digit year values in the range 66-99 to refer to the twentieth century and values in the range 00-68 to refer to the twenty-first century, the executable must link with the supplied object file, /usr/lib/year2000.o. Existing executables will continue to get the compatible behavior. DSDe430766, SR4701334763. If the ndots resolver option is configured in /etc/resolv.conf and res_init() is directly or indirectly called, a memory leak will occur. Applications using gethost*() API's or directly using resolver API's (res_*()) in a DNS environment are open to this problem. INDaa23823. The getdate() routine fails with a signal 11 segmentation violation when accessing a datemask file that contains a very large number of alternative date formats. DSDe429925, SR1653176883. PHCO_8764: Random truncaton of strings with strcat due to fix attempted in PHCO_8108. PHCO_8108: Significant performance degradation of regular expression processing in 10.X compared to 9.X. Affects awk, grep, sed, etc. Some printf variants available in patched 10.X systems weren't exported in 10.20. getcwd returns EINVAL when a negative buflen is passed in. memchr may core dump when char is not found. Sometimes strcat would attempt to access an unmapped page of memory. Defect Description: PHCO_14511: Whenever LANG is set to C and LC_COLLATE is set to non-C locale, strcoll() incorrectly assumes that it has been initialized, when this is not the case. DSDe442035 An internal function called by glob() attempts to free the same block twice.JAGaa01494 memccpy() doesn't detect the value of 0 at address 0. JAGaa01280 The defect was caused by copying one NULL string pointer to another without any checking. JAGaa01396, JAGaa01496, JAGaa01497 strptime(3C) does not calculate the week number correctly when the first day of the year is a Sunday or a Monday. JAGaa00976 SR 1653231456 PHCO_14199: There is a memory leak in endpwent() and setpwent() libc functions when they are run in NIS environments. The program size grows in 4k increments, for each endpwent() and setpwent() calls in NIS environment. The problem was introduced in cumulative libc patch PHCO_13029. It occurs for applications that 1) call fork and 2) implement their own version of the malloc functions. This problem is caused by linking with fork.o; all of the external symbols in malloc.o are imported, including the malloc functions such as malloc and free. This causes ld to find duplicate symbols, one for the application's own malloc function and one for the malloc function in malloc.o from libc.a. The patch should be installed if the symptoms occur when the application includes a call to fork(), yet the symptoms don't occur when the call to fork() is removed from the application. The APIs iconv_open(3C) and iconv_close(3C) didn't keep track of multiple uses of method. PHCO_13777: HP-UX enforces that variable lengths should not exceed 1024. In catopen(3C), the string that represents the variable LANG was strcpy'ed into a buffer with a fixed size MAXPATHLEN (1024). This caused coredump when strlen(LANG) is longer than 1024. getlogin(3) API in libc returns NULL when the tty is console. Hence the utilities like passwd print error messages when they use getlogin() API to access the login name of the user. When the memory buffer overflows while trying to encode too much data, the memory area gets shortened at each request eventually ging negatrequest eventually going negative. The pointer is not reset on error. PHCO_13775: In some corner cases a malloc(3c) internal error flag is not cleared. RPC internal function does not handle client creation properly if the server is off-line. New functionality to support networking features in 10.20. NIS uses dbm to to manage its data. Because of unlucky splitting, the '.pag' file has a large empty area which causes the NIS file transfer to fail because it takes longer than 25 seconds for dbm to get between keys. PHCO_13626: The performance of 10.20 strcoll is bad compared to 9.x for single byte locales because of a slow algorithm used for replacing 1 to 2 map characters. The size of the string, passed to perror, plus message was not checked and could have become larger than the size of the allocated output buffer. In such situations perror would have coredumped. Backlog limit for Listen() was set at 2 by default. Limit was increased to 20 via SOMAXCONN in sockets.h. PHCO_13399: Regular expression pattern matching is done through regcomp() and regexec() routines. These routines fail to match patterns correctly in the UTF8 locale environments. For eg. German locale de_DE.utf8. PHCO_13282: Case of calling dbm_nextkey() after the entire database has been traversed via dbm_firstkey() and dbm_nextkey() calls was not handled properly. PHCO_13189: The utmpx file contains an 8 character user name concatenated with 2 characters of device name. The implementation of the wcswidth(3c) API fails to comply with specification if the locale dependent version of wcswidth does not comply. PHCO_13029: NIS uses dbm to to manage its data. Because of unlucky splitting, the '.pag' file has a large empty area which causes the NIS file transfer to fail because it takes longer than 25 seconds for dbm to get between keys. The strcoll(3c) api for multi-byte was not optimized. PHCO_12673: awk and grep fail for certain regular expressions. PHCO_12448: The proper optimizations were not applied. This patch fixes the spanish locale collation problem for strcoll and strxfrm APIs caused by patch PHCO_12128. Signal mask was not restored for this corner case. The effective user and group id are set incorrectly in the call ruserok() when rlogind is invoked with an option "-l". PHCO_12128: If netgroups are nested this causes the NIS netgroup files to be recursively searched, causing poor performance. The API seekdir(3) is unable to position the next readdir(3) operation if the directory is on a 3rs party NFS server that returns a negative signed 32bit integer. Fix is made to readdir() not to call lseek(2) system call. This is a patch for performance problem reported for Spanish locales. The patch helps all single byte locales. A local data item was not being initialized properly. Incorrect internal buffer allocation can lead to an overlap between the stderr buffer and other internal buffers when files are opened for non-buffered i/o. Potential for data corruption/crashing in dbm_open is called with a filename which is too long. PHCO_11315: The trimming off of common prefix from string before collation causes problem in Spanish locale because it has 2 to 1 mapped collation element. e.g. "ch" should map after "co" but if common prefix "c" is removed, "h" will collate before "o" which is incorrect. An incorrect setting of NLSPATH, eg. NLSPATH="/tmp" causes catopen() to leave open file descriptors behind. As a result, applications that frequently call catopen() with an incorrectly set NLSPATH can run out of file descriptors. PHCO_11004: Code which cleans up stdio streams did not handle read-only streams which were waiting indefinitely on a read. 1. The "rhosts" check fails if the parent directory of the user's home directory does not have the right group permissions. Consider the case where the parent directory has permissions "710". /home - permissions rwx--x--- /home/student - permissions rwx------ The directories home and student belong to the same group. The "rhosts" check fails when a remote user tries to login as "student". This is because, the ruserok() routine does not change the effective group id to the real group id before opening ".rhosts" file. 2. Usernames in the host.equiv file are improperly parsed. The ruserok() code now exhibits the expected and documented behavior. An incorrect setting of NLSPATH, eg. NLSPATH="/tmp" causes catopen() to leave open file descriptors behind. As a result, applications that frequently call catopen() with an incorrectly set NLSPATH can run out of file descriptors. NIS getservbyname() had a memory leak. strcat() prefetches word before doing shift and concatenation. A check for end of string should be performed before the prefetch since the prefetched word may be across the page boundary. This is now fixed. The non-C locale code continued to check beyond the terminating null character. In the C-locale with REG_NEWLINE set, the ^ case should continue checking the entire string in case there are newlines in the string. The leap year algorithm was incorrect for getdate(3c). The check for the range of the input date was in the wrong place. PHCO_10027: Unaccaptable degradation of collation using swedish language. Regular expression pattern ".*" behaves incorrectly in Japanese locale. memcmp tried to prefetch words from outside of valid memory page and this might cause memory core dumps. The prefetching of invalid memory words was caused by incorrect calculation of number of words to fetch and compare. This is fixed now. In a system with more than one set of locale libraries to be used by libc.1 and libc.2, libc.1 will use the wrong set of locale libraries for the C locale. libc.1 needs to be changed to use the locale libraries in the /usr/lib/nls/loc/locales.1 directory instead of /usr/lib/nls/loc/locales, which is a symbolic link to /usr/lib/nls/loc/locales.2 on a HP-UX 10.30 system. This patch is needed for an HP-UX 10.20 machine if that machine is being used to build applications which you intend to run on future releases of HP-UX. This patch is not needed for correct operation of programs on HP-UX 10.20 system, because /usr/lib/nls/loc/locales is a symbolic link to /usr/lib/nls/loc/locales.1. PHCO_9577: Problem is in yp_bind.c. The second function call to flock() has a syntax error in the parameter list. The first call to flock() is correct. When this command is given the second function call to flock() is in code which is only invoked when Talk2_binder() is called. Then it hangs. PHCO_8979: If you lock /etc/.pwd.lock using lckpwdf, there is no way to determine that it was unlock, because ulckpwdf always returns -1. Allocated memory was not properly free'd by globfree() after use. The day of the month was being improperly adjusted for the case when the day of the week matched today. Pattern map was set such that it would continue matching past end of pattern. The maximum number of message sets allowed in a message catalog was not high enough; it has been increased to 65535. The tempnam(), mktemp() and mkstemp() APIs did not check for a dangling symlink before returned it and this has been fixed now. The strptime and getdate calls were not consistent in the manner in which they handled two digit year specifications. res_init() leads to the processing of the ndots option. In processing the ndots value a routine was called that could generate a recursive loop back to res_init(). During the recursive loop a memory leak would be generated. The code has been redesigned to avoid this loop condition. When a very large template file is used, and the getdate() routine has to search far into the file to find a matching format specifier, getdate() overran the allocated array. PHCO_8764: The fix for strcat's page boundary problem caused truncation of some strings. PHCO_8108: Poor performance of 10.X regular expression processing in comparison to 9.X. The affected entry points were not exported properly. According to X/Open, getcwd takes a second argument of type of size_t and returns EINVAL only when the second argument is 0. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. The strcat call didn't handle an optimized pre-fetching strategy properly, causing the read of bytes belonging to unmapped pages. SR: 4701309294 1653155929 1653169615 5003338038 5003344192 1653185629 5003341271 1653189134 4701334763 5003320648 1653176883 1653192161 4701344721 1653211490 5003297861 5003274753 1653208355 5003358762 5003302299 1653204651 4701349118 1653203026 4701334763 1653214346 1653208355 1653215186 5003377606 5003355867 1653228304 1653119560 4701364653 5003392126 1653192724 4701374512 4701374470 1653214346 1653242040 4701378117 5003392126 5003380394 1653236562 5003395673 1653231456 Patch Files: /usr/lib/libc.a /usr/lib/libp/libc.a /usr/lib/libpicc.a /usr/lib/libc.1 /usr/lib/year2000.o what(1) Output: /usr/lib/libc.a: PATCH-PHCO_14511 for 10.20; for 10.30, 11.x compatib ility libc.a_ID@@/main/r10dav/libc_dav/libc_ dav_cpe/8 /ux/core/libs/libc/archive_pa1/libc.a_ID Mar 12 1998 12:42:31 /usr/lib/libp/libc.a: PATCH-PHCO_14511 for 10.20; for 10.30, 11.x compatib ility libc.a_ID@@/main/r10dav/libc_dav/libc_ dav_cpe/8 /ux/core/libs/libc/profiled_pa1/libc.a_ID Mar 12 1998 13:40:41 /usr/lib/libpicc.a: PATCH-PHCO_14511 for 10.20; for 10.30, 11.x compatib ility libc.1_ID@@/main/r10dav/libc_dav/libc_ dav_cpe/8 /ux/core/libs/libc/shared_pa1/libc.1_ID Mar 12 1998 12:59:33 /usr/lib/libc.1: PATCH-PHCO_14511 for 10.20; for 10.30, 11.x compatib ility libc.1_ID@@/main/r10dav/libc_dav/libc_ dav_cpe/8 /ux/core/libs/libc/shared_pa1/libc.1_ID Mar 12 1998 12:58:37 /usr/lib/year2000.o: None cksum(1) Output: 2432735792 2417932 /usr/lib/libc.a 911005367 2599112 /usr/lib/libp/libc.a 3823942806 2595690 /usr/lib/libpicc.a 2874876333 1839104 /usr/lib/libc.1 970213139 704 /usr/lib/year2000.o Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_8108 PHCO_8764 PHCO_8979 PHCO_9577 PHCO_10027 PHCO_11004 PHCO_11315 PHCO_12128 PHCO_12448 PHCO_12673 PHCO_13029 PHCO_13189 PHCO_13282 PHCO_13399 PHCO_13626 PHCO_13775 PHCO_13777 PHCO_14199 Equivalent Patches: None Patch Package Size: 9290 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_14511 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_14511.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHCO_14511.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_14511. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_14511.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_14511.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: If libc patches are installed without rebooting, applications currently running which are linked shared against libc will still continue using the former version of libc. If this presents a problem to any applications, you should reboot.