Bug 152761 - CAN-2002-0029 glibc resolver library flaw
CAN-2002-0029 glibc resolver library flaw
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, rh73
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-04 13:24 EDT by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:26:32 EST
A security audit of the glibc packages in Red Hat Enterprise Linux 2.1
found a flaw in the resolver library which was originally reported as
affecting versions of ISC BIND 4.9. This flaw also applied to glibc
versions before 2.3.2. An attacker who is able to send DNS responses
(perhaps by creating a malicious DNS server) could remotely exploit this
vulnerability to execute arbitrary code or cause a denial of service. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2002-0029 to this issue.

Info:
https://rhn.redhat.com/errata/RHSA-2004-383.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0029



------- Additional Comments From michal@harddata.com 2004-08-05 07:44:39 ----

Created an attachment (id=795)
patch for glibc resolver

This patch is re-diffed against sources of glibc-2.2.5-44.src.rpm
fix taken from glibc-2.2.4-32.17.src.rpm RHEL sources.	Modification
to spec file are obvious.

I am running right now a machine with glibc compiled with this and
so far so good (or you will be not reading this :-).



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-08-20 05:34:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built glibc packages for 7.3 using the patch in comment #1

I have installed these packages on one workstation and one server. So far,
everything seems to function well.

Packages available for download from:
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/glibc/

sha1sums:
4c15a9ce6b95ae057ed97aa9d884f8a322182ec1 *glibc-2.2.5-44.legacy.1.i386.rpm
47f33ec0098092be0f7fcee1981ed90c9ad28aa0 *glibc-2.2.5-44.legacy.1.src.rpm
6af08ec984ed957423ad76c01a447858f215d2de
*glibc-common-2.2.5-44.legacy.1.i386.rpm
dade74dd1e4fd146d9fa38286396c5307aa0d8e4
*glibc-debug-2.2.5-44.legacy.1.i386.rpm
12f595de3ef68e222a9f99050d47c6a2f4c81e59
*glibc-debug-static-2.2.5-44.legacy.1.i386.rpm
6bed18c54028b4ce8a68538da40f77294baeb99b
*glibc-devel-2.2.5-44.legacy.1.i386.rpm
a979d69807735c52e4c99464c2d62681448976b0
*glibc-profile-2.2.5-44.legacy.1.i386.rpm
1a584b5f05669f0d4c8fb213bb35707ec5136429
*glibc-utils-2.2.5-44.legacy.1.i386.rpm
5fad0fda9b04d2896732268555c5bab768e95c5f *nscd-2.2.5-44.legacy.1.i386.rpm

- -DWB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBJhn1SY7s7uPf/IURAjFuAKCBA/WRyfvv/n9ogO4UAePyHnarmACgiDS7
Cu1skptmTMDtE8C8WmmjL14=
=b5Xe
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-01 04:06:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the glibc package for 7.3:

47f33ec0098092be0f7fcee1981ed90c9ad28aa0 *glibc-2.2.5-44.legacy.1.src.rpm

- - Source files match previous release
- - Patch file looks good
- - Spec file looks good
- - Builds, Installs, and Runs OK.

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBNddnLMAs/0C4zNoRApOrAKCwwGxLS6eaDm8DpFyXnDj6MD2XawCeNe1A
KQU/SKRpbGj0xkitD9ldaDw=
=OUmv
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-09-03 05:11:56 ----

There may be a bug in the new glic w.r.t matlab, mathematica, and smp processes.
We are trying to confirm that glibc is indeed the source of the problem (Redhat
7.3).

Anyone have mathemtica, matlab and can play around some?



------- Additional Comments From dom@earth.li 2004-09-03 05:17:31 ----

I have Mathematica 5.0.1.0 on rh 7.3, running glibc-2.2.5-45.legacy. Feel free
to drop me a mail with some test cases.



------- Additional Comments From dom@earth.li 2004-09-03 05:19:51 ----

Whoops. 45.legacy being a version I rolled but didn't get out before Dave had
released his.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-09-03 08:00:44 ----

Problem solved. Turned out to be my failure to build the i686 arch rpms. Oops. 



------- Additional Comments From ckelley@ibnads.com 2004-09-13 04:11:43 ----

47f33ec0098092be0f7fcee1981ed90c9ad28aa0  glibc-2.2.5-44.legacy.1.src.rpm

I am probably missing something to build with, but I can't get this to work on 7.3:

+ '[' -d /var/tmp/glibc-2.2.5-root/usr/info -a /usr/share/info '!=' /usr/info
']'+ gzip -9nvf '/var/tmp/glibc-2.2.5-root/usr/share/info/libc*'
gzip: /var/tmp/glibc-2.2.5-root/usr/share/info/libc*: No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.8386 (%install)
 
 
RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.8386 (%install)

/var/tmp/glibc-2.2.5-root/usr/share/info doesn't exist (but the 'share'
directory does)



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-13 13:52:54 ----

Do you have the info package installed? Try "rpm -q info".



------- Additional Comments From ckelley@ibnads.com 2004-09-15 05:00:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
47f33ec0098092be0f7fcee1981ed90c9ad28aa0  glibc-2.2.5-44.legacy.1.src.rpm
 
SPEC file is from redhat's 2.2.4-44 with CAN-2002-0029 patch (AS2.1)
the security patch is quite large, but looks ok from a cursory view
Packages build just fine after installing texinfo
After installing the new glibc, I rebooted and recompiled glibc just
to give the runtime a workout -- it all seems fine.
I'm not sure about mathematica, but octave runs just fine.
 
PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBSFkHyQ+yTHz+jJkRAp8uAKCZ+VKyjWaOe9EQ8X6AckQ//M0jgwCfeaKX
TbDOR++Kf+BVxJ0cc8qv6NY=
=PJap
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-09-16 15:43:40 ----

Does this not effect 9?



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-16 15:48:24 ----

Advisory says it affects glibc before 2.3.2. rh9 came with 2.3.2. rhel3 came
with 2.3.2 also and the advisory didn't apply to it, so I guess it doesn't apply
to rh9 either.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-17 13:16:03 ----

Created an attachment (id=854)
Advisory draft

Here is draft text for the advisory



------- Additional Comments From jpdalbec@ysu.edu 2004-09-28 09:32:22 ----

IMO this needs a BuildRequires: texinfo to be publishable.  I'm building updated
packages now.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-28 09:40:33 ----

John,

Don't bother making new packages, I'll just add texinfo when I build this for
testing.




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-28 09:42:15 ----

I see Dom is going to build this for testing. Dom- Please add "BuildRequires:
texinfo" to the spec file...



------- Additional Comments From dom@earth.li 2004-09-30 23:13:17 ----

Pushed to updates-testing:

http://www.redhat.com/archives/fedora-legacy-list/2004-October/msg00003.html



------- Additional Comments From ckelley@ibnads.com 2004-10-01 09:58:09 ----

Created an attachment (id=867)
Missing localization files in glibc-common-2.2.5-44.legacy.2.i386.rpm

Catastrophic error : blah.rpm has differing file count (2941 vs 5578)

I think something is wrong with the binary build on updates-testing; it doesn't
have the same number of files as the original redhat release, or a localized
build on my test box.  See the attachment for a diff of the files (< points to
my localized build)



------- Additional Comments From dom@earth.li 2004-10-01 13:59:18 ----

Also, I need to fix missing i686 packages.



------- Additional Comments From cra@wpi.edu 2004-10-02 09:13:13 ----

Created an attachment (id=868)
Differences of glibc-common from previous errata

Output of:

rpm-build-compare.sh glibc-common-2.2.5-44.i386.rpm
glibc-common-2.2.5-44.legacy.2.i386.rpm




------- Additional Comments From cra@wpi.edu 2004-10-02 09:17:28 ----

Created an attachment (id=869)
rpm-build-compare.sh script

Script to compare two binary or source rpm files.  Differences are noted for
the following:

Provides
Requires
Dynamic Link Libraries (ldd)
Symbol Tables (nm) - symbol addresses are not included
File lists - timestamps are not included
Files themselves




------- Additional Comments From ckelley@ibnads.com 2004-10-04 04:18:42 ----

Thanks Charles!  I've been building my own toolset to do just that
http://www.ibnads.com/fedora_legacy/rpm_tools



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-04 12:00:29 ----

These were pulled from updates-testing until we get them fixed.



------- Additional Comments From ludes@yahoo.com 2004-10-07 02:46:07 ----

Similar to message #18 It appears that localization is missing.  I get this 
perl error when running autorpm on a 3 machines that had the testing glibc 
rpms installed.

[root@boreas i686]# autorpm
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LANG = "en_US"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

Once I resort back to the orginal rpms for glibc the warning disappears



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-16 04:22:15 ----

I'm trying to build glibc on a fully-installed Red Hat 7.3 box, as we are having
problems building this on our mach server.

Although it successfully builds, the glibc-utils package has extra dependencies
on freetype and libjpeg that are not present in the last glibc-utils errata
release. If I remove freetype and libjpeg from the build server, glibc won't
build anymore as memusage is missing.

Anyone have any idea what could be done?




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-16 12:02:37 ----

Rebuilt packages were pushed to updates-testing.

787b02c547d9578eab2112b681d58ce40589dd37 
7.3/updates-testing/i386/glibc-2.2.5-44.legacy.3.i386.rpm
d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd 
7.3/updates-testing/i386/glibc-2.2.5-44.legacy.3.i686.rpm
df3fdb0f5d327b10bb285b06a5f1422642b980b7 
7.3/updates-testing/i386/glibc-common-2.2.5-44.legacy.3.i386.rpm
61e6c8521d67f38e96c679b3d263f6dccfb43b75 
7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.3.i386.rpm
d5b070b85a0a57702f3259790e59707dd8d67ef1 
7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.3.i686.rpm
e8988fb212ad671469f190f01b35c7664298ea58 
7.3/updates-testing/i386/glibc-debug-static-2.2.5-44.legacy.3.i386.rpm
f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b 
7.3/updates-testing/i386/glibc-devel-2.2.5-44.legacy.3.i386.rpm
5902d254f9926b0c532e8af5e0fe3ed22e105215 
7.3/updates-testing/i386/glibc-profile-2.2.5-44.legacy.3.i386.rpm
6c8b2d53b0626265c180ba09a1a6161e4be6765d 
7.3/updates-testing/i386/glibc-utils-2.2.5-44.legacy.3.i386.rpm
26282373e4cd3770b40b3cf10dc17b7f6f23ce6a 
7.3/updates-testing/i386/nscd-2.2.5-44.legacy.3.i386.rpm
b8f02cd099305c9866715493147ca9c9dcecfff0 
7.3/updates-testing/SRPMS/glibc-2.2.5-44.legacy.3.src.rpm




------- Additional Comments From ckelley@ibnads.com 2004-10-19 05:31:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Binaries:
d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd  glibc-2.2.5-44.legacy.3.i686.rpm
df3fdb0f5d327b10bb285b06a5f1422642b980b7  glibc-common-2.2.5-44.legacy.3.i386.rpm
d5b070b85a0a57702f3259790e59707dd8d67ef1  glibc-debug-2.2.5-44.legacy.3.i686.rpm
e8988fb212ad671469f190f01b35c7664298ea58 
glibc-debug-static-2.2.5-44.legacy.3.i386.rpm
f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b  glibc-devel-2.2.5-44.legacy.3.i386.rpm
5902d254f9926b0c532e8af5e0fe3ed22e105215  glibc-profile-2.2.5-44.legacy.3.i386.rpm
6c8b2d53b0626265c180ba09a1a6161e4be6765d  glibc-utils-2.2.5-44.legacy.3.i386.rpm
26282373e4cd3770b40b3cf10dc17b7f6f23ce6a  nscd-2.2.5-44.legacy.3.i386.rpm
 
Source:
b8f02cd099305c9866715493147ca9c9dcecfff0  glibc-2.2.5-44.legacy.3.src.rpm
 
 - Cross-checked with glibc-2.2.5-34, and it looks good
 - Source builds fine and matches published RPMs
 - Installs properly, and seems to run fine
 
+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBdTMiyQ+yTHz+jJkRAhZaAKDBkIT2bvJEqRUhXDMMmPlN/ZSaUACgp3vQ
Xo1y0Ty1fzvt92OMTRNniFM=
=FVvL
-----END PGP SIGNATURE-----



------- Additional Comments From cra@wpi.edu 2004-10-21 15:07:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify for RH 7.3:

787b02c547d9578eab2112b681d58ce40589dd37  glibc-2.2.5-44.legacy.3.i386.rpm
d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd  glibc-2.2.5-44.legacy.3.i686.rpm
df3fdb0f5d327b10bb285b06a5f1422642b980b7  glibc-common-2.2.5-44.legacy.3.i386.rpm
61e6c8521d67f38e96c679b3d263f6dccfb43b75  glibc-debug-2.2.5-44.legacy.3.i386.rpm
d5b070b85a0a57702f3259790e59707dd8d67ef1  glibc-debug-2.2.5-44.legacy.3.i686.rpm
e8988fb212ad671469f190f01b35c7664298ea58 
glibc-debug-static-2.2.5-44.legacy.3.i386.rpm
f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b  glibc-devel-2.2.5-44.legacy.3.i386.rpm
5902d254f9926b0c532e8af5e0fe3ed22e105215  glibc-profile-2.2.5-44.legacy.3.i386.rpm
6c8b2d53b0626265c180ba09a1a6161e4be6765d  glibc-utils-2.2.5-44.legacy.3.i386.rpm
26282373e4cd3770b40b3cf10dc17b7f6f23ce6a  nscd-2.2.5-44.legacy.3.i386.rpm
b8f02cd099305c9866715493147ca9c9dcecfff0  glibc-2.2.5-44.legacy.3.src.rpm

* rpm-build-compare.sh finds no unintended changes from 2.2.5-44
* packages install fine
* has been running fine on several systems since 10/14/2004
* VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBeFuIw2eg+Um7WIYRAoE1AJsHwwepOwTE/HbsdLAmmPRyNGn91QCdFxcv
W5V8O0r1V4LHy7dcuS5QUH0=
=AC9d
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-24 03:41:12 ----

Packages were released to official updates.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:26 -------

This bug previously known as bug 1947 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1947
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch for glibc resolver
https://bugzilla.fedora.us/attachment.cgi?action=view&id=795
Advisory draft
https://bugzilla.fedora.us/attachment.cgi?action=view&id=854
Missing localization files in glibc-common-2.2.5-44.legacy.2.i386.rpm
https://bugzilla.fedora.us/attachment.cgi?action=view&id=867
Differences of glibc-common from previous errata
https://bugzilla.fedora.us/attachment.cgi?action=view&id=868
rpm-build-compare.sh script
https://bugzilla.fedora.us/attachment.cgi?action=view&id=869

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.