Patch Name: PHCO_20588 Patch Description: s700_800 10.10 libc cumulative patch Creation Date: 00/04/10 Post Date: 00/06/06 Hardware Platforms - OS Releases: s700: 10.10 s800: 10.10 Products: N/A Filesets: OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-MIN ProgSupport.PROG-AUX OS-Core.UX-CORE Automatic Reboot?: No Status: General Release Critical: No (superseded patches were critical) PHCO_8763: CORRUPTION Path Name: /hp-ux_patches/s700_800/10.X/PHCO_20588 Symptoms: PHCO_20588: endpwent() dumps core if NIS used. JAGab84526; SR 8606112213 PHCO_19371: regexec() finds for "." in empty string "" with locales other than C. JAGaa53114; SR 4701413906 The asctime() does not work for years >= 2100. JAGaa55561 The check for whether the root directory has been reached in getcwd(3C) was not done correctly in the case of a Loop Back File System (LOFS). JAGaa62640 JAGaa86038 JAGaa86039; SR 4701414862 For a week which contains days in the previous year and the new year, strftime(3C) with %V returns two different week numbers for days in the previous year and those in the new year. In addition, if there are less than 4 days in the new year, it always returns 53 as the week number for the days in the new year, regardless of what the last week of the previous year is. JAGaa93337 JAGaa93338 JAGaa93339; SR 1653245415 strptime(3C) does not fill in tm_wday, tm_mon and tm_mday when supplied both the year and day of the year. JAGab65823; SR 8606101862 PHCO_16722: strptime(3C) treats February 29 and March 1 of a leap year to be the same day when the %a or %A and %W or %U conversion specifications are used at the same time. The values returned for tm_yday and tm_wday for March 1 are incorrect. JAGaa41262 SR 1653269738, JAGaa41263 SR 1653269738 PHCO_15154: When users with an expired password tries to log in on the console, they get usage message from the passwd command: usage: passwd [-F file] [name] JAGaa01505; SR 5003380394 C++ applications that attempt to use __toupper() and/or __tolower() fail to compile because the function prototypes for them are not available. JAGaa05224, JAGaa06023; SR 4701389932 4701390138 getcwd(3C) fails with ENOENT if the root file system is a loopback file system (LOFS) after a chroot. JAGaa11165, JAGaa01441, JAGaa05219, JAGaa06021; SR 4701382374 4701394395 4701389916 4701390120 The getdate() function does not parse the template file correctly when the %r field descriptor is used in at least one of the templates. This leads to the situation that a non-zero value for getdate_err is returned even when the template file contains a matching template. In addition, getdate() does not correctly handle the case where %I is used in a template but %p is not. JAGaa00429, JAGaa10165, JAGaa10166, JAGaa10167, JAGaa10168, JAGaa05222, JAGaa10164, JAGaa10163, JAGaa08067, JAGaa10158, JAGaa12392 SR 4701392977 4701392969 1653261081 4701392928 4701394650 The memmove(3C) api is slow when "moving data to the right, as in "memmove(c+1,c,249)" JAGaa00539; SR 5003355867 catopen() caused /usr/sbin/lanadmin coredump when LANG is longer than 1024. JAGaa08238 JAGaa08239 JAGaa08240 JAGaa08241 PHCO_14254: When the customer program containing calls to endpwent() is run in NIS environment, a memory leak is observed. After several days of running, the program is unable to continue due to an out-of-memory condition. JAGaa01175, SR 5003395673. When more than 435 processes are registered with portmap(3c) and a request for PMAPROCDUMP is made via UDP, portmapper hangs. SR 1653236562, DTS INDaa29151. PHCO_13917: Calling perror(string) with the length of string plus the message larger than 1024 will cause coredump. DTS # JAGaa01178, JAGaa01166. PHCO_12198: Concurrent calls to fread() (or other stdio input functions)on unbuffered or line buffered files can lead to a deadlock in libc in a multi-threaded application. DSDe435666, DSDe435913, JAGaa00772, DSDe439204, SR 1653211490, SR 1653228528 Non-root users of rlogin get the error message: "rlogind: /dev/pts/1: Permission denied." if configured in /etc/inetd.conf with the -l option. DTS INDaa28226, SR 4701364653 NIS netgroups are searched recursivly causing poor performance when netgroups are nested. DTS # INDaa27824, SR 5003377606. The getrpcent(3c) routine may exhibit the following problems: (1) If NIS is not running a coredump may occur. (2) May enter an infinite loop, i.e appears to hang while reading the NIS map. DTS # INDaa27020, SR # 5003362624. PHCO_11819: In a customer application, regcomp(3C) followed by regexec(3C) returns an unexpected "no match" value when the locale is set to non-C locale. DSDe437259, SR 1653215186. No reported symptoms. DSDe436555. The getrpcent(3c) routine may exhibit the following problems: (1) If NIS is not running a coredump may occur. (2) May enter an infinite loop, i.e appears to hang while reading the NIS map. DTS # INDaa27020, SR # 5003362624. Memory leak in getservbyname. DTS# INDaa26623, SR# 5003358762. Output directed to stderr may be corrupted when an application opens files for non-buffered i/o by calling setbuf() with the _IONBF flag. The symptom is likely to manifest only in multi-threaded applications. DSDe437356. PHCO_10384: strcat() may core dump when the last word of the source string is at the page boundary. SR 5003302299, DSDe434239, DSDe427804. For regcomp/regexec, "^ *$" and similar patterns in non-C locales will incorrectly match lines with newlines in them. DSDe434345, SR 1653204651. When sleep is interrrupted by a signal, the returned value of time remaining may be greater than the original request. DSDe429933, SR 5003326272. The memcmp(3c) may core dump at page boundary. DSDe433356, SR 4701344721. February 29, 2000 is rejected as a valid date by the getdate(3c) library call. DSDe434241, DSDe430766; SR #s 1653203026, 4701334763. The getdate(3c) would set getdate_err to "no matching template entry" (7) instead of "invalid input specification" (8) for dates outside the range of the time_t data type. This has been fixed. DSDe434270 PHCO_10028: Unaccaptable degradation of collation using swedish language. DSDe432108, SR1653192161. Regular expression pattern ".*" behaves incorrectly in Japanese locale. DSDe433097. PHCO_8981: The libc routine ulckpwdf always returns -1. As a result, the /etc/.pwd.lock can not be unlocked. DSDe431142, SR5003338038. Memory leak in globfree(). DSDe431962, SR5003344192. If given weekday is the same as today and within the last 7 days of the month, getdate() would return an Error 8. DSDe431143, SR1653185629. In non-C locales, non-blank lines would match pattern ^$ for regcomp(). DSDe431505 DSDe432126. User applications hit a limit of 1023 for number of sets in a message catalog. DSDe431644, SR5003341271. Call to tempnam(), mktemp() and mkstemp() sometimes returned a dangling symlink as the name for a temporary file. SR1653189134. The strptime and getdate calls did not handle two digit year specifications in the same manner. This has been addressed by providing strptime and getdate with an alternative behavior for dealing with two digit year specifications. In order to obtain the alternative behavior, which interprets two-digit year values in the range 66-99 to refer to the twentieth century and values in the range 00-68 to refer to the twenty-first century, the executable must link with the supplied object file, /usr/lib/year2000.o. Existing executables will continue to get the compatible behavior. DSDe430766, SR4701334763. The getdate() routine fails with a signal 11 segmentation violation when accessing a datemask file that contains a very large number of alternative date formats. DSDe429925, SR1653176883. PHCO_8763: Random truncaton of strings with strcat due to fix attempted in PHCO_8369. PHCO_8369: Significant performance degradation of regular expression processing in 10.X compared to 9.x. Affects awk, grep, sed, etc. The readdir() call may inadvertently call a user-defined routine. getcwd returns EINVAL when a negative buflen is passed in. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. Sometimes strcat would attempt to access an unmapped page of memory. - The group permissions of the parent directory of the home directory does not have to be set for "all" for the ".rhosts" check to succeed. The "rhosts" check changes the effective group id to the real group id before opening ".rhosts" file. - ruserok() did not properly parse the username in hosts.equiv. PHCO_7799: Runtime message catalog functions only support 255 message groups. When customer runs command: setprivgrp -g LOCKRDONLY, the NIS system hangs. regexec does not find pattern "(a*|b)c" in input "c" Call to setlocale() caused LC_ALL string to become corrupt. If the ndots resolver option is configured in /etc/resolv.conf and res_init() is directly or indirectly called, a memory leak will occur. Applications using gethost*() API's or directly using resolver API's (res_*()) in a DNS environment are open to this problem. "$^" with REG_NEWLINE matches all lines, not just empty. PHCO_6809: Undocumented behavior for strncpy was missing. qsort performs very badly on sorted blocks of data - customer found that qsort on a file with 100,000 randomly sorted records took seconds, whereas a file of 100,000 records containing large sorted blocks took over an hour to sort. Under certain circumstances, a regcomp(3) memory leak causes an Uninitialized Memory Read from withing regfree(3). On 10.10 a call to fileno() with a NULL parameter simply returns NULL - that is until you have linked in libdce.sl which enables the thread safe version of fileno which core dumps when passed a NULL parameter. getutent_r, getutid_r, and getutline_r tests core dumped. Repeated calls to setlocale(3c) expose a memory leak. yp_bind routine doesn't time out, and will try forever if the server is not found. PHCO_6777: Also to fix the return value of sysconf() there are changes being made there. On 10.10 a call to fileno() with a NULL parameter simply returns NULL - that is until you have linked in libdce.sl which enables the thread safe version of fileno which core dumps when passed a NULL parameter. PHCO_6596: Under some circumstances registers were not being properly saved prior to calling signal handlers. setcontext() occasionally returns 100 to indicate success. Changes to always return 0 for success as required by Standards. Multiple calls to gettxt() would result in a "too many open files" error. telldir() returns an incorrect offset zero for the end of directory record. strptime(3c) does not return the correct information for 12:xx am. Includes change to getpwent.c in function matchname() so that it returns 1 instead of 0 if it finds the name under the MINUS section. Also includes change to getgrent.c so that interpret will stop processing if it finds a MINUS as part of the name. Defect Description: PHCO_20588: endpwent() dumps core if NIS is used. This is because of the segmentation violation occuring in endpwent(). The cause for the above is, in function getnextfromyellow() the return value of yp_next() is not checked. The check for return value from yp_next() is needed because "outkey"(5th parameter to yp_next()) contains some orbitary value when end of file is reached, and yp_next() returns nonzero value setting the errno to YPERR_NOMORE. The outkey value which is incorrect is being freed without checking for the return value from yp_next. Resolution: To fix this defect the return value from yp_next() and yp_first() is checked and if it returns non zero then do not free memory which is not allocated. JAGab84526; SR 8606112213 PHCO_19371: regexec() matches "." in empty string "" with locales other than C. Resolution: regexec(3C) was matching a "." in an empty string "". The problem was due to an out-of-bound array access without checking the end-of-string. The changes made are only to make sure that the accesses are valid. JAGaa53114; SR 4701413906 The asctime() does not work for years >= 2100. Resolution: The problem was already addressed in 11.0. Backported the code from 11.0 to 10.20, 10.10 and 10.01. JAGaa55561 getcwd() was returning prematurely due to an incorrect check for whether the root directory has been reached in the case of a Loop Back File System (LOFS) and, consequently, returns incorrect results. Resolution: Changed getcwd() to compare the entire mystat structure for the current directory and its parent directory when determining if the root directory has been reached. The previous code only compares the inode and device numbers. This change ensures that cases where the inode and device numbers are the same for both the current and parent directory will be handled correctly. An example of this, prior to applying the fix to getcwd(), follows: # mount /stand /stand/lofs # cd /stand/lofs/build # pwd /build /* path obtained from getcwd() */ This is because the inode and device numbers for lofs and stand are the same: build: {ino = 4226; dev = 0x40000001; fstype = lofs; fsid = 0xff000004} lofs: {ino = 5376; dev = 0x40000001; fstype = lofs; fsid = 0xff000004} stand: {ino = 5376; dev = 0x40000001; fstype = ufs; fsid = 0 } /: {ino = 2; dev = 0x40000001; fstype = ufs; fsid = 0 } JAGaa62640 JAGaa86038 JAGaa86039; SR 4701414862 strftime() returns two different week numbers for %V for days in a week which contains days in the previous year and the new year. The week number returned for days in the previous year is either 52 or 53. The week number returned for days in the new year is 1 if there are four or more days in the new year in that week; otherwise, it is 53, regardless of whether the last week of the previous year is 52 or 53. The week number should be the same for all days in any week. Resolution: Changed strftime() to return the same week number for all days in a week which contains days in the previous year and the new year. If there are less than 4 days in the new year, return the week number of the last week of the previous year; otherwise, return 1. JAGaa93337 JAGaa93338 JAGaa93339; SR 1653245415 strptime(3C) does not fill in the tm_wday, tm_mon and tm_mday fields in the tm structure when both the year and day of year are supplied. Resolution: The problem was fixed in 10.20 onwards, this fix was backported to 10.10 and 10.01 JAGab65823; SR 8606101862 PHCO_16722: When the format used for March 1 of a leap year contains both the %a or %A and %W or %U conversion specifications, the values returned by strptime() for tm_yday and tm_wday are the same as those for February 29. JAGaa41262 SR 1653269738, JAGaa41263 SR 1653269738 PHCO_15154: getlogin(3) API in libc returns NULL when the tty is console. Hence the utilities like passwd print error messages when they use getlogin() API to access the login name of the user. JAGaa01505; SR 5003380394 C++ applications are not able to use __tolower() and __toupper() because the function prototype for those functions are not available. JAGaa05224, JAGaa06023; SR 4701389932 4701390138 A call to getcwd() will fail if the root file system is a loopback file system. This will not normally be the case, but if chroot() has been called to set the root directory, then this could be a loopback file system (LOFS). A specific example of this is when the anonymous ftp home directory is a LOFS as ftpd will then use chroot() and can report: 550 getcwd: No such file or directory JAGaa11165, JAGaa01441, JAGaa05219, JAGaa06021; SR 4701382374 4701394395 4701389916 4701390120 getdate() fails to find a matching template when %r is used in a template and there is at least one other template that contains %H or %R, even though a matching template exist. It also returns an error if a template contains %I but not %p and a matching template exists. JAGaa00429, JAGaa10165, JAGaa10166, JAGaa10167, JAGaa10168, JAGaa05222, JAGaa10164, JAGaa10163, JAGaa08067, JAGaa10158, JAGaa12392 SR 4701392977 4701392969 1653261081 4701392928 4701394650 The memmove(3C) api is slow when "moving data to the right" JAGaa00539; SR 5003355867 catopen() made string copy regardless of the length of PATH. Now catopen() only makes string copy for the first 1024 characters. JAGaa08238 JAGaa08239 JAGaa08240 JAGaa08241 PHCO_14254: There is a memory leak in endpwent() and setpwent() libc functions when they are run in NIS environments. The program size grows in 4k increments, for each endpwent() and setpwent() calls in NIS environment. When the memory buffer overflows while trying to encode too much data, the memory area gets shortened at each request eventually ging negatrequest eventually going negative. The pointer is not reset on error. PHCO_13917: The size of the string, passed to perror, plus message was not checked and could have become larger than the size of the allocated output buffer. In such situations perror would have coredumped. PHCO_12198: Incorrect locking order in libc can lead to deadlocks while reading unbuffered or line buffered files. The effective user and group id are set incorrectly in the call ruserok() when rlogind is invoked with an option "-l". If netgroups are nested this causes the NIS netgroup files to be recursively searched, causing poor performance. The proper error checks were not in place for getrpcent(3c). PHCO_11819: A local data item was not being initialized properly. Potential for data corruption/crashing in dbm_open is called with a filename which is too long. The proper error checks were not in place for getrpcent(3c). NIS getservbyname() memory leak. Incorrect internal buffer allocation can lead to an overlap between the stderr buffer and other internal buffers when files are opened for non-buffered i/o. PHCO_10384: strcat() prefetches word before doing shift and concatenation. A check for end of string should be performed before the prefetch since the prefetched word may be across the page boundary. This is now fixed. The non-C locale code continued to check beyond the terminating null character. Due to sleep being required to sleep at least the requested amount, the returned value may be more than the original request due to rounding. memcmp tried to prefetch words from outside of valid memory page and this might cause memory core dumps. The prefetching of invalid memory words was caused by incorrect calculation of number of words to fetch and compare. This is fixed now. The leap year algorithm was incorrect for getdate(3c). The check for the range of the input date was wrong for getdate(3c). PHCO_10028: Unaccaptable degradation of collation using swedish language. Regular expression pattern ".*" behaves incorrectly in Japanese locale. PHCO_8981: If you lock /etc/.pwd.lock using lckpwdf, there is no way to determine that it was unlock, because ulckpwdf always returns -1. Allocated memory was not properly free'd by globfree() after use. The day of the month was being improperly adjusted for the case when the day of the week matched today. Pattern map was set such that it would continue matching past end of pattern. The maximum number of message sets allowed in a message catalog was not high enough; it has been increased to 65535. The tempnam(), mktemp() and mkstemp() APIs did not check for a dangling symlink before returned it and this has been fixed now. The strptime and getdate calls were not consistent in the manner in which they handled two digit year specifications. When a very large template file is used, and the getdate() routine has to search far into the file to find a matching format specifier, getdate() overran the allocated array. PHCO_8763: The fix for strcat's page boundary problem caused truncation of some strings. PHCO_8369: Poor performance of 10.X regular expression processing in comparison to 9.x. The readdir() call failed to call the primary definition of a public routine. According to X/Open, getcwd takes a second argument of type of size_t and returns EINVAL only when the second argument is 0. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. The strcat call didn't handle an optimized pre-fetching strategy properly, causing the read of bytes belonging to unmapped pages. 1. The "rhosts" check fails if the parent directory of the user's home directory does not have the right group permissions. Consider the case where the parent directory has permissions "710". /home - permissions rwx--x--- /home/student - permissions rwx------ - The directories home and student belong to the same group. The "rhosts" check fails when a remote user tries to login as "student". - This is because, the ruserok() routine does not change the effective group id to the real group id before opening ".rhosts" file. 2. Usernames in the host.equiv file are improperly parsed. - The ruserok() code now exhibits the expected and documented behavior. PHCO_7799: Add runtime support for message sets 256 thru 1023. Problem is in yp_bind.c. The second function call to flock() has a syntax error in the parameter list. The first call to flock() is correct. When this command is given the second function call to flock() is in code which is only invoked when Talk2_binder() is called. Then it hangs. Fix pmap array needed to be set true for alternation case when isfirst set to 0, since it was getting lost on next expression for case of echo c | grep -E '(a*|b)c' A previous fix for a setlocale() memory leak releases storage for LC_ALL string before it is appropriate. The implementation has been changed to use an internal static buffer. res_init() leads to the processing of the ndots option. In processing the ndots value a routine was called that could generate a recursive loop back to res_init(). During the recursive loop a memory leak would be generated. The code has been redesigned to avoid this loop condition. "$^" with REG_NEWLINE matches all lines, not just empty, caused by incorrect fix for DSDe427572. PHCO_6809: Added support back for an undocumented strncpy behavior which had been previously removed for performance reasons. qsort needed to pick an alternate pivot point when detecting sorted or partially sorted data in order to improve poor performance. When regcomp(3) returns the following error: ?, *, or + not preceded by valid regular expression the regex_t structure argument has already had memory allocated to it,resulting in a memory leak. If regfree(3) is called in this case, the result is a Uninitialized Memory Read from withing regfree. The thread-safe version of fileno() is trying to dereference a NULL pointer. endutent_r() and endutxent_r() assumed that a key had been created. This assumption is not valid, and checks have been put in to determine what action to take. Repeated calls to setlocale(3c) expose a memory leak. yp_bind was changed to retry 4 times, then timeout and quit if no success. PHCO_6777: Bug in sysconf(). The thread-safe version of fileno() is trying to dereference a NULL pointer. PHCO_6596: Multiple calls to gettxt() would result in a "too many open files" error. telldir() returns an incorrect offset zero for the end of directory record. strptime(3c) does not return the correct information for 12:xx am. Includes change to getpwent.c in function matchname() so that it returns 1 instead of 0 if it finds the name under the MINUS section. Also includes change to getgrent.c so that interpret will stop processing if it finds a MINUS as part of the name. SR: 8606112213 4701413906 4701414862 1653245415 8606101862 1653269738 1653269738 1653269738 5003380394 4701389932 4701390138 4701382374 4701394395 4701389916 4701390120 4701392977 4701392969 1653261081 4701392928 4701394650 5003355867 1653159293 5003294843 5003291716 5003290056 5003320648 1653174425 4701309294 1653155929 1653169615 5003338038 5003344192 1653185629 5003341271 1653189134 4701334763 1653176883 1653192161 1653204651 5003326272 4701344721 1653203026 5003302299 1653215186 5003362624 5003358762 1653211490 1653228528 4701364653 5003377606 5003362624 5003395673 1653236562 Patch Files: /usr/lib/.unix95/context.o /usr/lib/libc.a /usr/lib/libp/libc.a /usr/lib/libpicc.a /usr/lib/unix95.o /usr/lib/year2000.o /usr/lib/libc.1 what(1) Output: /usr/lib/.unix95/context.o: None /usr/lib/libc.a: PATCH/10_10 PHCO_20588 $Revision: 76.162.1.14.1.89 $ /usr/lib/libp/libc.a: PATCH/10_10 PHCO_20588 $Revision: 76.162.1.14.1.89 $ /usr/lib/libpicc.a: PATCH/10_10 PHCO_20588 $Revision: 76.162.1.14.1.89 $ /usr/lib/unix95.o: None /usr/lib/year2000.o: None /usr/lib/libc.1: PATCH/10_10 PHCO_20588 $Revision: 76.162.1.14.1.89 $ cksum(1) Output: 212665383 1356 /usr/lib/.unix95/context.o 2634008299 2280496 /usr/lib/libc.a 3048369736 2499398 /usr/lib/libp/libc.a 1841243070 2392032 /usr/lib/libpicc.a 4170468200 712 /usr/lib/unix95.o 1466541401 700 /usr/lib/year2000.o 1229475256 1716224 /usr/lib/libc.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_6596 PHCO_6777 PHCO_6809 PHCO_7799 PHCO_8369 PHCO_8763 PHCO_8981 PHCO_10028 PHCO_10384 PHCO_11819 PHCO_12198 PHCO_13917 PHCO_14254 PHCO_15154 PHCO_16722 PHCO_19371 Equivalent Patches: None Patch Package Size: 8750 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_20588 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_20588.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_20588. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_20588.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_20588.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None