Patch Name: PHCO_14666 Patch Description: s700_800 10.30 libc cumulative patch Creation Date: 98/04/02 Post Date: 98/04/08 Hardware Platforms - OS Releases: s700: 10.30 s800: 10.30 Products: N/A Filesets: OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-AUX ProgSupport.PROG-MIN Automatic Reboot?: No Status: General Release Critical: No (superseded patches were critical) PHCO_13674: ABORT Path Name: /hp-ux_patches/s700_800/10.X/PHCO_14666 Symptoms: PHCO_14666: Purify reports ``UMR: Uninitialized memory read.'' in the __libc_mutex_alloc function for multi-threaded applications. SR 5003412031 When the length of the environment variable LANG is longer than 1024 (MAXPATHLEN), catopen(3C) in /usr/sbin/lanadmin caused coredump. DTS JAGaa01290. When users with an expired password try to log in on the console, they get a usage message from the passwd command: usage: passwd [-F file] [name]. DTS JAGaa01505, SR 5003380394. Applications using their own versions of malloc() and free() would notice free() being called twice on a same block while using the glob() libc API. DTS JAGaa01494. On some methods the first call to the API iconv_close(3C) on a conversion descriptor deallocates the codesets for all the opened conversion descriptor with the same "fromcode" and "tocode" arguments. In other words, if there are two descriptors by calling iconv_open() twice with the same "fromcode" and "tocode", upon closing the first descriptor any operation on the second descriptor will cause a core dump. DTS JAGaa00931 JAGaa00932. Inconsistent behaviour from pre 10.20 systems and 10.20 onwards in memccpy() API. JAGaa01280. Signal mask is not restored after calling free when mallopt(M_BLOCK,0) has been set. Only happens on multiple calls to free for the same pointer. DTS JAGaa01290. The API regcomp() dumped core, instead of returning error, when dealing with some non-recognizable expression. DTS : JAGaa01396, JAGaa01496, JAGaa01497. strptime(3C) does not calculate the week number correctly when the first day of the year is a Sunday (for %U and %W) or a Monday (for %W). DTS: JAGaa00976, SR: 1653231456. NIS map transfer fails due to transfer timeout on slave as a direct result of an inefficient method of scanning a sparse DBM database. DTS: JAGaa01111, JAGaa01150 SR: 5003392126. When Null pointer is used as argument for fputs and puts, the behavior is inconsistant between pre-10.20 and 10.20 onward releases. DTS JAGaa01513 Calling openlog() with a very long ident string causes syslog() to dump core or create unexpected/undefined results. DTS JAGaa0127 Calling perror(string) with the length of string plus the message larger than 1024 will cause coredump. DTS # JAGaa01178, JAGaa01166. PHCO_13674: Installing PHCO_12424 or PHCO_13347 caused core dumps in stdio routines. Fix was to roll back the memccpy change introduced in PHCO_12424; this fix will be re-instated once a suitable solution is found. PHCO_13347: Threaded applications calling the gets(3S) API may hang after doing another i/o operation on stdin. DTS JAGaa01148, SR 5003394833. PHCO_12424: The problem is within memccpy(3C) using memchr(3C). If memchr(3C) finds, e.g., '\0' at address 0x00000000, it returns 0; it did not find '\0' at all. The fputs(3S) system call does not handle this well as prior to 10.20, e.g., fputs(NULL, fp) would to 10.20, e.g., fputs(NULL, fp) would not work correctly in this case. DTS# DSDe438042, SR# 1653222620 Output directed to stderr may be corrupted when an application opens files for non-buffered i/o by calling setbuf() with the _IONBF flag. The symptom is likely to manifest only in multi-threaded applications. DSDe437356. Due to an incorrect definition of LONG_LONG_MIN in limits.h, a comparison with LONG_LONG_MIN is not guaranteed to produce the correct result as the value of LONG_LONG_MIN is larger than what it is expected to be. DTS DSDe437497 The customer using Spanish locale (or any locale with 2 to 1 mapping) along with any patch which supercedes the fix for collation performance in Swedish locales (PHCO_10027) will see incorrect collation. Other customers will never see this problem. DTS# DSDe436983, SR# 1653214346 Fixed potential buffer overrun. Non-root users of rlogin get the error message: "rlogind: /dev/pts/1: Permission denied." if configured in /etc/inetd.conf with the -l option. DTS INDaa28226, SR 4701364653 The APIs ecvt/fcvt return different values for the decimal point index on certain boundary conditions between Sacramento and Roseville releases. DTS DSDe438432. In a customer application, regcomp(3C) followed by regexec(3C) returns an unexpected "no match" value when the locale is set to non-C locale. DSDe437259, SR 1653215186. If an application that uses message catalogs is run in an environment where NLSPATH is set incorrectly (eg. NLSPATH="/tmp" ,where the NLSPATH element /tmp does not specify a filename template) the application may run out of file descriptors. DSDe435212, SR 1653208355. ctime_r() may fail intermittently in a multi-threaded application. DSDe433684. An application calling sleep() without establishing a SIGALRM handler terminates if the sleep() is interrupted by a SIGALRM. DSDe434618. SR 4701358556. Use of snprintf() can cause a buffer overflow. DSDe436686. No reported symptoms - this is a proactive patch. DTS DSDe436555. The API makecontext() in libc doesn't work for Release 10.30 systems running on 64-bit hardware only. The application using this API would generate memory fault for Release 10.30 systems running on 64-bit hardware. For 32-bit platform, the API executes successfully. DSDe435355. Executables which redefine certain reserved words may interfere with some library operations. DTS DSDe435430. Concurrent calls to fread() (or other stdio input functions)on unbuffered or line buffered files can lead to a deadlock in libc in a multi-threaded application. DSDe435666, DSDe435913, JAGaa00772, DSDe439204, SR 1653211490, SR 1653228528. Defect Description: PHCO_14666: Mutex initialization may unexpectedly fail due to failure to zero out dynamically allocated mutexes prior to calling the initialization routine. SR 5003412031 HP-UX enforces that variable lengths should not exceed 1024. In catopen(3C), the string that represents the variable LANG was strcpy'ed into a buffer with a fixed size MAXPATHLEN (1024). This caused a coredump when strlen(LANG) was longer than 1024. DTS JAGaa01290. getlogin(3) API in libc returns NULL when the tty is console. Hence the utilities like passwd print error messages when they use getlogin() API to access the login name of the user. DTS JAGaa01505, SR 5003380394. An internal function called by glob() attempts to free() the same block twice. DTS JAGaa01494. The APIs iconv_open(3C) and iconv_close(3C) didn't keep track of multiple uses of method. DTS JAGaa00931 JAGaa00932. memccpy() doesn't detect the value of 0 at address 0. DTS JAGaa01280. Signal mask was not restored for this corner case. DTS JAGaa01290. The defect was caused by copying one NULL string pointer to another without any checking. DTS: JAGaa01396, JAGaa01496, JAGaa01497. strptime(3C) does not produce the correct week number for dates in a year that begins on a Sunday or a Monday. DTS: JAGaa00976, SR: 1653231456. NIS uses dbm to to manage its data. Because of unlucky splitting, the '.pag' file has a large empty area which causes the NIS file transfer to fail because it takes longer than 25 seconds for dbm to get between keys. DTS: JAGaa01111. dbm_do_nextkey() is not exported from libc, which means that NIS code which calls this function will not link if libndbm is not present. Because we only want to provide the fix for JAGaa01111 in libc (and not in libndbm), we must export this function. DTS: JAGaa01150. The correct behavior should be : When Null pointer was being passed as argument for fputs and puts, fputs should return 0 and write nothing to the file, puts should return 1 and write '\n' to stdout. The above behavior is now in 10.20, 10.30, 11.0, and 11.al, which is consistant with the pre-10.20 behavior. DTS JAGaa01513 syslog() in libc/gen/core/syslog.c was modified for fixing this problem. DTS JAGaa0127 The size of the string, passed to perror, plus message was not checked and could have become larger than the size of the allocated output buffer. In such situations perror would have coredumped. DTS # JAGaa01178, JAGaa01166. PHCO_13674: The change to memccpy introduced in PHCO_12424 had a defect which causes core dumps. PHCO_13347: The gets(3S) API can fail to release a lock after encountering an EOF condition. This will cause another thread in the application doing an i/o operation on stdin to hang, leading potentially to an application deadlock. PHCO_12424: If memccpy(3C) uses memchr(3C), and that returns NULL, memccpy(3C) needs to check if that NULL means the character is indeed found at address NULL, or if it means the character is not found at all. Incorrect internal buffer allocation can lead to an overlap between the stderr buffer and other internal buffers when files are opened for non-buffered i/o. LONG_LONG_MIN was defined to be -9223372036854775808LL in limits.h. The minus sign in front of the number 9223372036854775808LL is a unary operator. The constant next to it is already larger than LONG_LONG_MAX, hence it is promoted to the next possible larger data type which is unsigned long long. The fix is to change the definition to (-9223372036854775807LL -1). The trimming off of common prefix from string before collation causes problem in Spanish locale becuase it has 2 to 1 mapped collation element. e.g "ch" should map after "co" but if commona prefix "c" is removed, "h" will map before "o" which is incorrect. N/A The effective user and group id are set incorrectly in the call ruserok() when rlogind is invoked with an option "-l". Passing a negative value for "ndigits" to ecvt or fcvt will cause them to return different values for the decimal point index between Sacramento and Roseville. This patch changes the Sacramento behavior to conform to Roseville. This behavior is undocumented in the standards and man pages. A local data item was not being initialized properly. An incorrect setting of NLSPATH, eg. NLSPATH="/tmp" causes catopen() to leave open file descriptors behind. As a result, applications that frequently call catopen() with an incorrectly set NLSPATH can run out of file descriptors. ctime_r() was incorrectly parsing the TZ variable, leading to incorrect conversion. An application calling sleep() without establishing a SIGALRM handler terminates if the sleep() is interrupted by a SIGALRM. snprintf() fails to check boundary conditions. Potential for data corruption/crashing in dbm_open is called with a filename which is too long. The defect is due to incorrect typecasting of pointers to 32-bit value in makecontext() API. To reproduce this problem, run the application using makecontext() API in a Release 10.30 system running on 64-bit hardware. The makecontext() API is very rarely used API. If there are any applications installed on the 10.30 system known to be using makecontext() API, then patch needs to be installed. Executables which redefine certain reserved words may interfere with some library operations. Incorrect locking order in libc can lead to deadlocks while reading unbuffered or line buffered files. SR: 4701364653 1653215186 1653208355 4701358556 1653214346 1653211490 1653228528 5003394833 5003380394 1653231456 5003392126 5003412031 Patch Files: /usr/lib/libc.a /usr/lib/libp/libc.a /usr/lib/libpicc.a /usr/lib/libc.2 what(1) Output: /usr/lib/libc.a: PATCH/10.30:PHCO_14666 libc.a_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/archive_pa1/libc.a_ID Apr 2 1998 17:04:42 /usr/lib/libp/libc.a: PATCH/10.30:PHCO_14666 libc.a_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/profiled_pa1/libc.a_ID Apr 2 1998 17:16:23 /usr/lib/libpicc.a: PATCH/10.30:PHCO_14666 libc.2_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/shared_pa1/libc.2_ID Apr 2 1998 17:10:27 /usr/lib/libc.2: PATCH/10.30:PHCO_14666 libc.2_ID@@/main/r10sac/cup_l ibc-sac-cpe/1 /ux/core/libs/libc/shared_pa1/libc.2_ID Apr 2 1998 17:10:27 cksum(1) Output: 1996750769 2103098 /usr/lib/libc.a 1751083578 2249638 /usr/lib/libp/libc.a 1490432838 2184430 /usr/lib/libpicc.a 2862813515 1368064 /usr/lib/libc.2 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_12424 PHCO_13347 PHCO_13674 Equivalent Patches: None Patch Package Size: 7780 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_14666 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_14666.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHCO_14666.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_14666. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_14666.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_14666.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: If libc patches are installed without rebooting, applications currently running which are linked shared against libc will still continue using the former version of libc. If this presents a problem to any applications, you should reboot.