A security audit of the glibc packages in Red Hat Enterprise Linux 2.1 found a flaw in the resolver library which was originally reported as affecting versions of ISC BIND 4.9. This flaw also applied to glibc versions before 2.3.2. An attacker who is able to send DNS responses (perhaps by creating a malicious DNS server) could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0029 to this issue. Info: https://rhn.redhat.com/errata/RHSA-2004-383.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0029 ------- Additional Comments From michal 2004-08-05 07:44:39 ---- Created an attachment (id=795) patch for glibc resolver This patch is re-diffed against sources of glibc-2.2.5-44.src.rpm fix taken from glibc-2.2.4-32.17.src.rpm RHEL sources. Modification to spec file are obvious. I am running right now a machine with glibc compiled with this and so far so good (or you will be not reading this :-). ------- Additional Comments From dwb7.edu 2004-08-20 05:34:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Built glibc packages for 7.3 using the patch in comment #1 I have installed these packages on one workstation and one server. So far, everything seems to function well. Packages available for download from: http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/glibc/ sha1sums: 4c15a9ce6b95ae057ed97aa9d884f8a322182ec1 *glibc-2.2.5-44.legacy.1.i386.rpm 47f33ec0098092be0f7fcee1981ed90c9ad28aa0 *glibc-2.2.5-44.legacy.1.src.rpm 6af08ec984ed957423ad76c01a447858f215d2de *glibc-common-2.2.5-44.legacy.1.i386.rpm dade74dd1e4fd146d9fa38286396c5307aa0d8e4 *glibc-debug-2.2.5-44.legacy.1.i386.rpm 12f595de3ef68e222a9f99050d47c6a2f4c81e59 *glibc-debug-static-2.2.5-44.legacy.1.i386.rpm 6bed18c54028b4ce8a68538da40f77294baeb99b *glibc-devel-2.2.5-44.legacy.1.i386.rpm a979d69807735c52e4c99464c2d62681448976b0 *glibc-profile-2.2.5-44.legacy.1.i386.rpm 1a584b5f05669f0d4c8fb213bb35707ec5136429 *glibc-utils-2.2.5-44.legacy.1.i386.rpm 5fad0fda9b04d2896732268555c5bab768e95c5f *nscd-2.2.5-44.legacy.1.i386.rpm - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBJhn1SY7s7uPf/IURAjFuAKCBA/WRyfvv/n9ogO4UAePyHnarmACgiDS7 Cu1skptmTMDtE8C8WmmjL14= =b5Xe -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-09-01 04:06:13 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the glibc package for 7.3: 47f33ec0098092be0f7fcee1981ed90c9ad28aa0 *glibc-2.2.5-44.legacy.1.src.rpm - - Source files match previous release - - Patch file looks good - - Spec file looks good - - Builds, Installs, and Runs OK. +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBNddnLMAs/0C4zNoRApOrAKCwwGxLS6eaDm8DpFyXnDj6MD2XawCeNe1A KQU/SKRpbGj0xkitD9ldaDw= =OUmv -----END PGP SIGNATURE----- ------- Additional Comments From dwb7.edu 2004-09-03 05:11:56 ---- There may be a bug in the new glic w.r.t matlab, mathematica, and smp processes. We are trying to confirm that glibc is indeed the source of the problem (Redhat 7.3). Anyone have mathemtica, matlab and can play around some? ------- Additional Comments From dom 2004-09-03 05:17:31 ---- I have Mathematica 5.0.1.0 on rh 7.3, running glibc-2.2.5-45.legacy. Feel free to drop me a mail with some test cases. ------- Additional Comments From dom 2004-09-03 05:19:51 ---- Whoops. 45.legacy being a version I rolled but didn't get out before Dave had released his. ------- Additional Comments From dwb7.edu 2004-09-03 08:00:44 ---- Problem solved. Turned out to be my failure to build the i686 arch rpms. Oops. ------- Additional Comments From ckelley 2004-09-13 04:11:43 ---- 47f33ec0098092be0f7fcee1981ed90c9ad28aa0 glibc-2.2.5-44.legacy.1.src.rpm I am probably missing something to build with, but I can't get this to work on 7.3: + '[' -d /var/tmp/glibc-2.2.5-root/usr/info -a /usr/share/info '!=' /usr/info ']'+ gzip -9nvf '/var/tmp/glibc-2.2.5-root/usr/share/info/libc*' gzip: /var/tmp/glibc-2.2.5-root/usr/share/info/libc*: No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.8386 (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.8386 (%install) /var/tmp/glibc-2.2.5-root/usr/share/info doesn't exist (but the 'share' directory does) ------- Additional Comments From marcdeslauriers 2004-09-13 13:52:54 ---- Do you have the info package installed? Try "rpm -q info". ------- Additional Comments From ckelley 2004-09-15 05:00:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 47f33ec0098092be0f7fcee1981ed90c9ad28aa0 glibc-2.2.5-44.legacy.1.src.rpm SPEC file is from redhat's 2.2.4-44 with CAN-2002-0029 patch (AS2.1) the security patch is quite large, but looks ok from a cursory view Packages build just fine after installing texinfo After installing the new glibc, I rebooted and recompiled glibc just to give the runtime a workout -- it all seems fine. I'm not sure about mathematica, but octave runs just fine. PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBSFkHyQ+yTHz+jJkRAp8uAKCZ+VKyjWaOe9EQ8X6AckQ//M0jgwCfeaKX TbDOR++Kf+BVxJ0cc8qv6NY= =PJap -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-09-16 15:43:40 ---- Does this not effect 9? ------- Additional Comments From marcdeslauriers 2004-09-16 15:48:24 ---- Advisory says it affects glibc before 2.3.2. rh9 came with 2.3.2. rhel3 came with 2.3.2 also and the advisory didn't apply to it, so I guess it doesn't apply to rh9 either. ------- Additional Comments From marcdeslauriers 2004-09-17 13:16:03 ---- Created an attachment (id=854) Advisory draft Here is draft text for the advisory ------- Additional Comments From jpdalbec 2004-09-28 09:32:22 ---- IMO this needs a BuildRequires: texinfo to be publishable. I'm building updated packages now. ------- Additional Comments From marcdeslauriers 2004-09-28 09:40:33 ---- John, Don't bother making new packages, I'll just add texinfo when I build this for testing. ------- Additional Comments From marcdeslauriers 2004-09-28 09:42:15 ---- I see Dom is going to build this for testing. Dom- Please add "BuildRequires: texinfo" to the spec file... ------- Additional Comments From dom 2004-09-30 23:13:17 ---- Pushed to updates-testing: http://www.redhat.com/archives/fedora-legacy-list/2004-October/msg00003.html ------- Additional Comments From ckelley 2004-10-01 09:58:09 ---- Created an attachment (id=867) Missing localization files in glibc-common-2.2.5-44.legacy.2.i386.rpm Catastrophic error : blah.rpm has differing file count (2941 vs 5578) I think something is wrong with the binary build on updates-testing; it doesn't have the same number of files as the original redhat release, or a localized build on my test box. See the attachment for a diff of the files (< points to my localized build) ------- Additional Comments From dom 2004-10-01 13:59:18 ---- Also, I need to fix missing i686 packages. ------- Additional Comments From cra 2004-10-02 09:13:13 ---- Created an attachment (id=868) Differences of glibc-common from previous errata Output of: rpm-build-compare.sh glibc-common-2.2.5-44.i386.rpm glibc-common-2.2.5-44.legacy.2.i386.rpm ------- Additional Comments From cra 2004-10-02 09:17:28 ---- Created an attachment (id=869) rpm-build-compare.sh script Script to compare two binary or source rpm files. Differences are noted for the following: Provides Requires Dynamic Link Libraries (ldd) Symbol Tables (nm) - symbol addresses are not included File lists - timestamps are not included Files themselves ------- Additional Comments From ckelley 2004-10-04 04:18:42 ---- Thanks Charles! I've been building my own toolset to do just that http://www.ibnads.com/fedora_legacy/rpm_tools ------- Additional Comments From marcdeslauriers 2004-10-04 12:00:29 ---- These were pulled from updates-testing until we get them fixed. ------- Additional Comments From ludes 2004-10-07 02:46:07 ---- Similar to message #18 It appears that localization is missing. I get this perl error when running autorpm on a 3 machines that had the testing glibc rpms installed. [root@boreas i686]# autorpm perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). Once I resort back to the orginal rpms for glibc the warning disappears ------- Additional Comments From marcdeslauriers 2004-10-16 04:22:15 ---- I'm trying to build glibc on a fully-installed Red Hat 7.3 box, as we are having problems building this on our mach server. Although it successfully builds, the glibc-utils package has extra dependencies on freetype and libjpeg that are not present in the last glibc-utils errata release. If I remove freetype and libjpeg from the build server, glibc won't build anymore as memusage is missing. Anyone have any idea what could be done? ------- Additional Comments From marcdeslauriers 2004-10-16 12:02:37 ---- Rebuilt packages were pushed to updates-testing. 787b02c547d9578eab2112b681d58ce40589dd37 7.3/updates-testing/i386/glibc-2.2.5-44.legacy.3.i386.rpm d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd 7.3/updates-testing/i386/glibc-2.2.5-44.legacy.3.i686.rpm df3fdb0f5d327b10bb285b06a5f1422642b980b7 7.3/updates-testing/i386/glibc-common-2.2.5-44.legacy.3.i386.rpm 61e6c8521d67f38e96c679b3d263f6dccfb43b75 7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.3.i386.rpm d5b070b85a0a57702f3259790e59707dd8d67ef1 7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.3.i686.rpm e8988fb212ad671469f190f01b35c7664298ea58 7.3/updates-testing/i386/glibc-debug-static-2.2.5-44.legacy.3.i386.rpm f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b 7.3/updates-testing/i386/glibc-devel-2.2.5-44.legacy.3.i386.rpm 5902d254f9926b0c532e8af5e0fe3ed22e105215 7.3/updates-testing/i386/glibc-profile-2.2.5-44.legacy.3.i386.rpm 6c8b2d53b0626265c180ba09a1a6161e4be6765d 7.3/updates-testing/i386/glibc-utils-2.2.5-44.legacy.3.i386.rpm 26282373e4cd3770b40b3cf10dc17b7f6f23ce6a 7.3/updates-testing/i386/nscd-2.2.5-44.legacy.3.i386.rpm b8f02cd099305c9866715493147ca9c9dcecfff0 7.3/updates-testing/SRPMS/glibc-2.2.5-44.legacy.3.src.rpm ------- Additional Comments From ckelley 2004-10-19 05:31:01 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Binaries: d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd glibc-2.2.5-44.legacy.3.i686.rpm df3fdb0f5d327b10bb285b06a5f1422642b980b7 glibc-common-2.2.5-44.legacy.3.i386.rpm d5b070b85a0a57702f3259790e59707dd8d67ef1 glibc-debug-2.2.5-44.legacy.3.i686.rpm e8988fb212ad671469f190f01b35c7664298ea58 glibc-debug-static-2.2.5-44.legacy.3.i386.rpm f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b glibc-devel-2.2.5-44.legacy.3.i386.rpm 5902d254f9926b0c532e8af5e0fe3ed22e105215 glibc-profile-2.2.5-44.legacy.3.i386.rpm 6c8b2d53b0626265c180ba09a1a6161e4be6765d glibc-utils-2.2.5-44.legacy.3.i386.rpm 26282373e4cd3770b40b3cf10dc17b7f6f23ce6a nscd-2.2.5-44.legacy.3.i386.rpm Source: b8f02cd099305c9866715493147ca9c9dcecfff0 glibc-2.2.5-44.legacy.3.src.rpm - Cross-checked with glibc-2.2.5-34, and it looks good - Source builds fine and matches published RPMs - Installs properly, and seems to run fine +VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdTMiyQ+yTHz+jJkRAhZaAKDBkIT2bvJEqRUhXDMMmPlN/ZSaUACgp3vQ Xo1y0Ty1fzvt92OMTRNniFM= =FVvL -----END PGP SIGNATURE----- ------- Additional Comments From cra 2004-10-21 15:07:11 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verify for RH 7.3: 787b02c547d9578eab2112b681d58ce40589dd37 glibc-2.2.5-44.legacy.3.i386.rpm d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd glibc-2.2.5-44.legacy.3.i686.rpm df3fdb0f5d327b10bb285b06a5f1422642b980b7 glibc-common-2.2.5-44.legacy.3.i386.rpm 61e6c8521d67f38e96c679b3d263f6dccfb43b75 glibc-debug-2.2.5-44.legacy.3.i386.rpm d5b070b85a0a57702f3259790e59707dd8d67ef1 glibc-debug-2.2.5-44.legacy.3.i686.rpm e8988fb212ad671469f190f01b35c7664298ea58 glibc-debug-static-2.2.5-44.legacy.3.i386.rpm f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b glibc-devel-2.2.5-44.legacy.3.i386.rpm 5902d254f9926b0c532e8af5e0fe3ed22e105215 glibc-profile-2.2.5-44.legacy.3.i386.rpm 6c8b2d53b0626265c180ba09a1a6161e4be6765d glibc-utils-2.2.5-44.legacy.3.i386.rpm 26282373e4cd3770b40b3cf10dc17b7f6f23ce6a nscd-2.2.5-44.legacy.3.i386.rpm b8f02cd099305c9866715493147ca9c9dcecfff0 glibc-2.2.5-44.legacy.3.src.rpm * rpm-build-compare.sh finds no unintended changes from 2.2.5-44 * packages install fine * has been running fine on several systems since 10/14/2004 * VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBeFuIw2eg+Um7WIYRAoE1AJsHwwepOwTE/HbsdLAmmPRyNGn91QCdFxcv W5V8O0r1V4LHy7dcuS5QUH0= =AC9d -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-24 03:41:12 ---- Packages were released to official updates. ------- Bug moved to this database by dkl 2005-03-30 18:26 ------- This bug previously known as bug 1947 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1947 Originally filed under the Fedora Legacy product and Package request component. Attachments: patch for glibc resolver https://bugzilla.fedora.us/attachment.cgi?action=view&id=795 Advisory draft https://bugzilla.fedora.us/attachment.cgi?action=view&id=854 Missing localization files in glibc-common-2.2.5-44.legacy.2.i386.rpm https://bugzilla.fedora.us/attachment.cgi?action=view&id=867 Differences of glibc-common from previous errata https://bugzilla.fedora.us/attachment.cgi?action=view&id=868 rpm-build-compare.sh script https://bugzilla.fedora.us/attachment.cgi?action=view&id=869 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown severity major. Setting to default severity "normal". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.