Patch Name: PHCO_8368 Patch Description: s700_800 10.0X libc cumulative patch Creation Date: 96/09/18 Post Date: 96/09/24 Warning: 96/09/30 - This Critical Warning has been issued by HP. The fix for strcat(3) included in this patch introduces a problem where random truncation of the string may occur. The problem has not been fully characterized by HP, but it has been seen using several general purpose applications like VUE, lex, and yacc. HP plans to release new patches by 10/07/96 that include all the defect fixes in the patch EXCEPT for the strcat(3) defect fix. Due to the random nature of this defect, it is recommended that the patch be deinstalled from all systems on which it is installed as soon as possible. If a customer needs the other defect fixes in this patch, they should install the new patch when it becomes available. Patch PHCO_7798 will be re-released until the replacement patch is available. Hardware Platforms - OS Releases: s700: 10.00 10.01 s800: 10.00 10.01 Products: N/A Filesets: OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-AUX ProgSupport.PROG-MIN Automatic Reboot?: No Status: General Superseded With Warnings Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_8368 Symptoms: PHCO_8368: The readdir() call may inadvertently call a user-defined routine. getcwd returns EINVAL when a negative buflen is passed in. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. Sometimes strcat would attempt to access an unmapped page of memory. - The group permissions of the parent directory of the home directory does not have to be set for "all" for the ".rhosts" check to succeed. The "rhosts" check changes the effective group id to the real group id before opening ".rhosts" file. - ruserok() did not properly parse the username in hosts.equiv. PHCO_7798: regexec does not find pattern "(a*|b)c" in input "c" Call to setlocale() caused LC_ALL string to become corrupt. "$^" with REG_NEWLINE matches all lines, not just empty. PHCO_7177: Runtime message catalog functions only support 255 message groups. PHCO_7175: strxfrm(3) can potentially incompletely transform in a non-C locale if only one extra byte for NULL is allocated and the array is not initialized to zeros. PHCO_6778: Undocumented behavior for strncpy was missing. qsort performs very badly on sorted blocks of data - customer found that qsort on a file with 100,000 randomly sorted records took seconds, whereasa file of 100,000 records containing large sorted blocks took over an hour to sort. Under certain circumstances, a regcomp(3) memory leak causes an Uninitialized Memory Read from withing regfree(3). On 10.10 a call to fileno() with a NULL parameter simply returns NULL - that is until you have linked in libdce.sl which enables the thread safe version of fileno which core dumps when passed a NULL parameter. Repeated calls to setlocale(3c) expose a memory leak. PHCO_6595: Multiple calls to gettxt() would result in a "too many open files" error. telldir() returns an incorrect offset zero for the end of directory record. strptime(3c) does not return the correct information for 12:xx am. Includes change to getpwent.c in function matchname() so that it returns 1 instead of 0 if it finds the name under the MINUS section. Also includes change to getgrent.c so that interpret will stop processing if it finds a MINUS as part of the name. PHCO_6427: The strncpy() defect documented in PHCO_6342 was not completely fixed. PHCO_6342: Applications calling strncpy() may core dump at page boundary between a valid and an invalid page. Applications calling gettxt() several times may get "too many file descriptors" error PHCO_6134: Applications using getprotobyname_r(), getprotobynumber_r(), getnetbyname_r(), getnetbyaddr_r(), getservbyname_r(), or getservbyport_r() in multithreaded applications may core dump. Applications directly or indirectly calling res_search() will experience a memory leak. strncpy may behave incorrectly. Cu does not work over Datakit. Child process file descriptors may be trashed when resolving a name with NIS in gethostbyname. Fixes stack overrun defect in syslog PHCO_6070: Applications making a transition from 9.x to 10.x may encounter unexpected malloc failures when locale is other than C. eg. german, french locales. PHCO_5420: Possible unexpected failures from getservbyname_r() when querying an NIS server that's without a servi.bynp map. The probability of failure is proportional to the number of times the getservbyname_r() call is executed. After an initial failure, subsequent calls to getservbyname_r() will continue to fail. getservbyport() poor performance in an NIS environment if the requested service port is not present in the servers services.byname map, or if the port is present in the map but the user did not specify a protocol in the getservbyport() call. The NIS client would then start a sequential search of the map, increasing CPU usage and network traffic for the duration of the search. The strncpy(3c) function fails with "segmentation violation" when (a) the source string ends on a page boundary, (b) the page following the source string has not been allocated to the process, and (c) the source and destination pointers are not aligned the same. Calls to malloc for greater than 1Gb of memory fail with ENOMEM. The routines in the password entry family of routines may encounter various problems (core dumps, corrupted heap--such as malloc structures, etc.) on systems using NIS. Calls to opendir with device files and pipes hangs. User cannot login via console when password is expired. The version of iconv on 10.0 sets errno incorrectly for incomplete, double-byte characters when LANG=ja_JP.SJIS or LANG=ja_JP.eucJP. When such an error occurs, errno should be set to EINVAL. Instead, it is set to EILSEQ. The update mnttab(3c) function can corrupt can corrupt the mnttab file. The values for passno and frequency can be invalid in the mnttab file if the root file system is incorrect in the existing mnttab, and/or fstab file. When using the %V format descriptor with strftime(3c), the count for the number of weeks is incorrect when processing week 1. This problem can be demonstrated in applications that use strftime(3c) or date(1). The FP to ASCII conversion routine "do_fcvt()" rounds impercisely for certain numbers. HP-UX 9.x applications using regexp(3x) interfaces encounters binary compatibility problems with HP-UX 10.x systems. Calling setusershell(3c) may cause data corruption in the user's heap area. HP-UX 9.x applications using libc_r IPC interfaces may encounter binary compatibility problems with HP-UX 10.x systems. Defect Description: PHCO_8368: The readdir() call failed to call the primary definition of a public routine. According to X/Open, getcwd takes a second argument of type of size_t and returns EINVAL only when the second argument is 0. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. The strcat call didn't handle an optimized pre-fetching strategy properly, causing the read of bytes belonging to unmapped pages. 1. The "rhosts" check fails if the parent directory of the user's home directory does not have the right group permissions. Consider the case where the parent directory has permissions "710". /home - permissions rwx--x--- /home/student - permissions rwx------ - The directories home and student belong to the same group. The "rhosts" check fails when a remote user tries to login as "student". - This is because, the ruserok() routine does not change the effective group id to the real group id before opening ".rhosts" file. 2. Usernames in the host.equiv file are improperly parsed. - The ruserok() code now exhibits the expected and documented behavior. PHCO_7798: Fix pmap array needed to be set true for alternation case when isfirst set to 0, since it was getting lost on next expression for case of echo c | grep -E '(a*|b)c' A previous fix for a setlocale() memory leak releases storage for LC_ALL string before it is appropriate. The implementation has been changed to use an internal static buffer. "$^" with REG_NEWLINE matches all lines, not just empty, caused by incorrect fix for DSDe427572. PHCO_7177: Add runtime support for message sets 256 thru 1023. PHCO_7175: strxfrm(3) may not completely transform an array in non-C locales. PHCO_6778: Added support back for an undocumented strncpy behavior which had been previously removed for performance reasons. qsort needed to pick an alternate pivot point when detecting sorted or partially sorted data in order to improve poor performance. When regcomp(3) returns the following error: ?, *, or + not preceded by valid regular expression the regex_t structure argument has already had memory allocated to it, resulting in a memory leak. If regfree(3) is called in this case, the result is a Uninitialized Memory Read from withing regfree. The thread-safe version of fileno() wasn't checking for a NULL pointer. Repeated calls to setlocale(3c) expose a memory leak. PHCO_6595: Multiple calls to gettxt() would result in a "too many open files" error. telldir() returns an incorrect offset zero for the end of directory record. strptime(3c) does not return the correct information for 12:xx am. Includes change to getpwent.c in function matchname() so that it returns 1 instead of 0 if it finds the name under the MINUS section. Also includes change to getgrent.c so that interpret will stop processing if it finds a MINUS as part of the name. PHCO_6427: The strncpy() defect documented in PHCO_6342 was not completely fixed. PHCO_6342: Applications calling strncpy() may core dump at page boundary between a valid and an invalid page. This has now been corrected. The gettxt() function failed to close files before opening another file with the same file descriptor. This caused the user to get the error too many file descriptors. This code will now close the previously opened files. PHCO_6134: Possible internal use of an invalid file descriptor could cause a core dump. Applications using getprotobyname_r(), getprotobynumber_r(), getnetbyname_r(), getnetbyaddr_r(), getservbyname_r(), or getservbyport_r() reentrant calls could be affected. Memory malloc'd within res_search() would not be free'd. This has now been corrected. strncpy(3c) occasionally behaves incorrectly on different processors. This has now been corrected. Add support for Cu over DATAKIT At hp-ux 10.0, child process file descriptors may be trashed when resolving a name with NIS in gethostbyname. This has now been corrected. Fixes stack overrun defect in syslog. This has now been corrected. PHCO_6070: The root cause of the problem was a memory leak in two internal routines called by strxfrm. This memory leak evenutally causes the process to run out of space to malloc. PHCO_5420: The getservbyname_r() call would use non-reentrant setservent() and endservent() calls rather than their reentrant equivalents (setservent_r() and endservent_r()). Subsequent calls to getservbyname_r() in an NIS environment with no servi.bynp map would not start a search of the services.byname map from the first entry in the map, but would start from where the last search left off. In an NIS environment getservbyport() could generate higher network traffic and CPU load due to a sequential search of the NIS server services.byname map being triggered. This search would be triggered whenever NIS was up and the port and protocol pair passed to the getservbyport() call were not present in the map, or when the user didn't supply a protocol value to the getservbyport() call. A more efficient model has now been adopted. The calls getservbyport_r(), getprotobyname_r(), getprotobynumber_r(), getnetbyname_r(), and getnetbyaddr_r() also shared the same issue found in getservbyname_r(). No external symptoms have been noted, but the changes were introduced as a preventative measure. The strncpy (3c) function reads an extra word from memory which may lead to an application abort if the address is out of the current allocated heap space. The malloc(3c) function would test for memory > 1Gb and flag them as illegal requests. This is not a problem with most applications; however, applications built with with the linker option '-N' would be limited to memory requests of less than 1Gb per call. A call to getpwent(3c) on a system with NIS may free a malloc block without recording this action. Future calls to any routines in this family may attempt to free the same block a second time. The opendir(3c) function could hang when passed a device file or a named pipe. The getlogin() function fails when the program is run on the console. It sets errno to EPERM. The version of iconv on 10.0 sets errno incorrectly for incomplete, double-byte characters when LANG=ja_JP.SJIS or LANG=ja_JP.eucJP. When such an error occurs, errno should be set to EINVAL. Instead, it is set to EILSEQ. The update mnttab(3c) function can corrupt can corrupt the mnttab file. The values for passno and frequency can be invalid in the mnttab file if the root file system is incorrect in the existing mnttab, and/or fstab file. The %V format descriptor in the strftime(3c) function returned an incorrect value for the week number for the first week of the year. Rounding is attempted on the complete number, causing errors due to results that may not be accurately portrayed in the FP format. HP-UX 9.x applications using regexp(3x) interfaces encounter binary compatibility problems with HP-UX 10.x systems. A routine called by setusershell() writes one additional byte to memory blocked than was orignally allocated. HP-UX 9.x applications using libc_r IPC interfaces may encounter binary compatibility problems with HP-UX 10.x systems. SR: 5003306746 4701319327 1653159293 5003249490 5003233056 5003251611 5003235648 1653119107 5003247882 5003272542 5003262022 1653141440 5003260257 1653140376 5003291716 5003291716 5003290056 1653174425 5003302299 Patch Files: /usr/lib/libc.a /usr/lib/libp/libc.a /usr/lib/libpicc.a /usr/lib/libc.1 what(1) Output: /usr/lib/libc.a: PATCH/10_01 PHCO_8368 $Revision: 74.9.1.16.1.63 $ /usr/lib/libp/libc.a: PATCH/10_01 PHCO_8368 $Revision: 74.9.1.16.1.63 $ /usr/lib/libpicc.a: PATCH/10_01 PHCO_8368 $Revision: 74.9.1.16.1.63 $ /usr/lib/libc.1: PATCH/10_01 PHCO_8368 $Revision: 74.9.1.16.1.63 $ cksum(1) Output: 2245484027 2009434 /usr/lib/libc.a 3035902794 2223042 /usr/lib/libp/libc.a 3016289608 2029684 /usr/lib/libpicc.a 4277813720 1441792 /usr/lib/libc.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_5420 PHCO_6070 PHCO_6134 PHCO_6342 PHCO_6427 PHCO_6595 PHCO_6778 PHCO_7175 PHCO_7177 PHCO_7798 Equivalent Patches: None Patch Package Size: 7580 Kbytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_8368 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_8368.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHCO_8368.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_8368. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_8368.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_8368.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None