Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 152848

Summary: CAN-2004-0968,1382,1453 glibc catchsegv/glibcbug/LD_DEBUG vulnerabilities
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: glibcAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: deisenst, fweimer, jimpop, jpdalbec, kelson, leonard-rh-bugzilla, marc.deslauriers, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/12930/
Whiteboard: 2, 1, LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-14 04:18:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
rpm-build-compare.sh output and patch file differences none

Description David Lawrence 2005-03-30 23:29:34 UTC 
http://secunia.com/advisories/12930/

A vulnerability has been reported in GNU C Library (glibc), which can be
exploited by malicious, local users to perform certain actions on a vulnerable
system with escalated privileges.

The vulnerability is caused due to temporary files being created insecurely by
the "catchsegv" script. This can be exploited via symlink attacks to create or
overwrite arbitrary files with the privileges of the user invoking the
vulnerable script.

CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0968

Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136319



------- Additional Comments From fedora-legacy-bugzilla-2004 2004-11-09 16:47:16 ----

Red Hat Bugzilla (RHEL3):
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318

Patch:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=105440&action=view



------- Additional Comments From michal 2004-11-10 08:24:01 ----

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318#c2
includes the following about patch from
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=105440&action=view

"For catchsegv a different patch has been committed upstream,
the remaining changes are incorrect."

so for patches one should really check new sources when they will be released.




------- Additional Comments From bugzilla.fedora.us 2004-12-08 13:34:50 ----

Ubuntu Security Notice USN-4-1 ( available at
http://www.ubuntulinux.org/support/documentation/usn/usn-4-1) also mentions a
security issue in the "glibcbug" script.  no other CVE number is given, though.



------- Additional Comments From pekkas 2004-12-23 00:44:50 ----

A good question here might be whether we'd want to consider applying the glibc
bugfixes which have been put in RHEL at the same time as a security update.



------- Additional Comments From marcdeslauriers 2004-12-23 04:30:13 ----

I think we should stick with the security patches. If people are hit by the
glibc bugs, they probably have already done something about it. The less we
change, the less we risk breaking something.



------- Additional Comments From marcdeslauriers 2005-03-05 20:23:23 ----

If someone builds packages, please include fix for bug 2354.



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2265 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2265
Originally filed under the Fedora Legacy product and Package request component.
Bug blocks bug(s) 2354.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 John Dalbec 2005-04-29 13:02:31 UTC 
RHEL 2.1 advisory: https://rhn.redhat.com/errata/RHSA-2005-261.html
Comment 2 Pekka Savola 2005-04-30 07:35:28 UTC 
FWIW, in the RHL9 update we should also unbreak the "fix" Red Hat made in their
last errata update: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=101261

That is, the IPv6 reverse queries should use nibbles under ip6.arpa., like
a.a.a.a.a....ip6.arpa., instead of bitlabels.  Bitlabels break _very_ badly with
Bind 9.3.0+, causing dozens of seconds of timeouts when trying to ssh in an
IPv6-enabled system.

This can be achieved by not applying the patch glibc-reverse-ipv6.patch.
Comment 3 Pekka Savola 2005-04-30 07:43:30 UTC 
FWIW, #2354 on timex.h doesn't seem to apply; it seems fine on both RHL73 and
RHL9, and besides, because it's in /usr/include/linux/, it belongs to
glibc-kernheaders source RPM, not this one, so it can be excluded.
Comment 4 Pekka Savola 2005-04-30 19:58:52 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages to fix CAN-2004-0968, CAN-2004-1382, and CAN-2004-1453 for RHL73,
RHL9, and FC1.  Not signed, unfortunately.

Available: 

http://staff.csc.fi/psavola/fl/glibc-2.2.5-44.legacy.4.src.rpm (RHL73)
http://staff.csc.fi/psavola/fl/glibc-2.3.2-27.9.7.1.legacy.src.rpm (RHL9)
http://staff.csc.fi/psavola/fl/glibc-2.3.2-101.4.1.legacy.src.rpm (FC1)

b92e7aff62355e4c29da77c5848a0cbdcd43db73  glibc-2.2.5-44.legacy.4.src.rpm
d614c7d0f63bee6705aba0b21de9963a9199dba2  glibc-2.3.2-101.4.1.legacy.src.rpm
d6ef34261f02fa040f99f827d17d24493090480b  glibc-2.3.2-27.9.7.1.legacy.src.rpm

676d7efacc8c8a297e79621831830200b266796f  glibc-2.3.2-27.9.7.1.legacy.i386.rpm
39924ebca2b9dcb62789bbb7344d30bb4f80e1d8 
glibc-common-2.3.2-27.9.7.1.legacy.i386.rpm
82c2af2db6b7b4dc5caec7c7eb1f878dcc653396  glibc-debug-2.3.2-27.9.7.1.legacy.i386.rpm
641371a653b4b00f5908ede77e02a33ccbbe9a53 
glibc-debuginfo-2.3.2-27.9.7.1.legacy.i386.rpm
982a64d40befa968e3e5ddc8598d0f2c204a085e 
glibc-debuginfo-common-2.3.2-27.9.7.1.legacy.i386.rpm
8307375a8ae139d70efc5336a4477efec51e292c  glibc-devel-2.3.2-27.9.7.1.legacy.i386.rpm
774d644b9d020ef435bf4573bbfc05e91757a9b7 
glibc-profile-2.3.2-27.9.7.1.legacy.i386.rpm
4a1ac580cdfd9f6c1797665d1a46c01e06c9693d  glibc-utils-2.3.2-27.9.7.1.legacy.i386.rpm
34cd203782ee08766d226610921b7bfa51697440  nscd-2.3.2-27.9.7.1.legacy.i386.rpm

* Sat Apr 30 2005 Pekka Savola <pekkas> 2.3.2-27.9.7.1.legacy

- - fix CAN-2004-0968, CAN-2004-1382, and CAN-2004-1453 (#152848)
- - Unbreak IPv6 reverse lookups, broken by errata 2.3.2-27.9.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCc+MdGHbTkzxSL7QRApmLAKC5lNy1ebFjbJJUhpeo2UCvLtUrqwCgkDA7
VotjmMVsfVhcn+H6reY5FWo=
=as7q
-----END PGP SIGNATURE-----
Comment 5 Marc Deslauriers 2005-05-01 00:32:19 UTC 
Hey Pekka,

Could you please include the patch from the packages in bug 156048 in the rh7.3
rpm? It's a security issue.
Comment 6 Pekka Savola 2005-05-01 05:51:29 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, here's a version which includes the fix, available from the same place.

aa4877c8ad9a39510fa6efa4a422f789e941f4bb  glibc-2.2.5-44.legacy.5.src.rpm


* Sun May 01 2005 Pekka Savola <pekkas> 2.2.4-44.legacy.5

- - add glibc-2.2.4-nscd-hstcache.patch to fix gethostbyaddr/gethostbyname
  caching issues, #156048.  Patch from RHEL21.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCdG5BGHbTkzxSL7QRAqSUAKCkuq3X8SuWycLDFTboWoKOZEG09gCeJ+nA
su+XvZV76iI8vKm5uKVWMQw=
=0dmR
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2005-05-05 06:31:06 UTC 
tag change -fc1 -> -core1..
Comment 8 Pekka Savola 2005-05-05 06:42:08 UTC 
*** Bug 156048 has been marked as a duplicate of this bug. ***
Comment 9 Pekka Savola 2005-06-29 13:00:00 UTC 
tag change, -rh9 -> -rhl9
Comment 10 John Dalbec 2005-07-08 18:36:47 UTC 
glibc-2.2.5-44.legacy.5.src.rpm (RHL73)
glibc-2.3.2-27.9.7.1.legacy.src.rpm (RHL9)
glibc-2.3.2-101.4.1.legacy.src.rpm (FC1)

Should these be built for updates-testing as:
glibc-2.2.5-45.0.7.3.legacy.src.rpm (RHL73)
glibc-2.3.2-28.0.9.legacy.src.rpm (RHL9)
glibc-2.3.2-102.1.legacy.src.rpm (FC1)
?  That way it's clear which package belongs to which distro.  FC2 has
glibc-2.3.3 so this shouldn't cause versioning problems.
Comment 11 Pekka Savola 2005-07-08 18:51:05 UTC 
I've no problem with such versioning, I just incremented versions used :).

This is a moot point before someone actually produces the PUBLISH votes though. ;-(
Comment 12 Pekka Savola 2005-07-10 06:28:31 UTC 
John Dalbec pointed out that the patches in RHL9 and FC1 are
incomplete (thanks!).  This has been fixed in the new packages.  Note that
I forgot to update the changelog for the revised version, but this can be
done in the build process (in addition to renaming, if any):

959721c64a23202d3be8144a62716359053b4681  glibc-2.3.2-101.4.2.legacy.src.rpm
fc00098d2dd43cb7255d0140e20aaf83fa93ccfc  glibc-2.3.2-27.9.7.2.legacy.src.rpm

available at: http://staff.csc.fi/psavola/fl/
Comment 13 Jim Popovitch 2005-07-10 23:21:12 UTC 
Can we get some i386/i686 packages for Q&A in order to produce PUBLISH votes.  Thz.

-Jim P.
Comment 14 Pekka Savola 2005-07-11 04:55:16 UTC 
Sorry, I have only i386/i686 packages for RHL9, in the same URL.  But for
publish just checking the patches etc. should be enough.
Comment 15 Pekka Savola 2005-07-12 15:27:33 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For those who want to see the signed SHA1sums, here they are.

959721c64a23202d3be8144a62716359053b4681  glibc-2.3.2-101.4.2.legacy.src.rpm
fc00098d2dd43cb7255d0140e20aaf83fa93ccfc  glibc-2.3.2-27.9.7.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC0+FaGHbTkzxSL7QRAiRSAJ0c1Tf3FztrretHrmHsiTsSvFy20ACfQAef
5eHJ1PE8dGau5aLl9A86bow=
=eB4L
-----END PGP SIGNATURE-----
Comment 16 John Dalbec 2005-07-12 21:16:26 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++PUBLISH RHL 7.3 RHL 9 FC 1

sha1sums:
51f349b3916ba7336388f1438cdba02a0a15943e  glibc-2.2.4-32.20.src.rpm
b8f02cd099305c9866715493147ca9c9dcecfff0  glibc-2.2.5-44.legacy.3.src.rpm
aa4877c8ad9a39510fa6efa4a422f789e941f4bb  glibc-2.2.5-44.legacy.5.src.rpm
959721c64a23202d3be8144a62716359053b4681  glibc-2.3.2-101.4.2.legacy.src.rpm
2c824c91b224c469d89c57dd2511e7bb361a1b91  glibc-2.3.2-101.4.src.rpm
fc00098d2dd43cb7255d0140e20aaf83fa93ccfc  glibc-2.3.2-27.9.7.2.legacy.src.rpm
841af08ac91d636a71c6314b4f568aacc0dfee79  glibc-2.3.2-27.9.7.src.rpm
509e2cfbaa95de87c609de88c66ea846e4db6897  glibc-2.3.2-95.33.src.rpm
8b36977c58552a05c123b741d7727a8abf50de86  glibc-diff.tar.bz2

new patches:
* glibc-2.2.4-catchsegv.patch matches the patch file of the same name in
  glibc-2.2.4-32.20.src.rpm (RHEL AS 2.1)
* glibc-2.2.4-nscd-hstcache.patch matches the patch file of the same name in
  glibc-2.2.4-32.20.src.rpm (RHEL AS 2.1)
* glibc-2.2.5-suid-ldso-envvars.patch almost matches the patch file named
  glibc-2.2.4-suid-ldso-envvars.patch in glibc-2.2.4-32.20.src.rpm
  (RHEL AS 2.1).  The differences appear reasonable (see glibc-diff.tar.bz2).
* glibc-reverse-ipv6.patch (new in glibc-2.3.2-101.4.2.legacy.src.rpm) matches
  the existing patch file of the same name in glibc-2.3.2-27.9.7.src.rpm and
  glibc-2.3.2-27.9.7.2.legacy.src.rpm
* glibc-suid-ldso-envvars.patch matches the patch file of the same name in
  glibc-2.3.2-95.33.src.rpm (RHEL AS 3)
* glibc-fc1-suid-ldso-envvars.patch almost matches the patch file named
  glibc-suid-ldso-envvars.patch in glibc-2.3.2-95.33.src.rpm (RHEL AS 3).
  The differences appear reasonable (see glibc-diff.tar.bz2).

* RHL 7.3 package builds OK for --target i386-redhat-linux (default) on mach.
* RHL 9 package missing buildrequires: texinfo.  After fixing this it builds OK
  for --target i386-redhat-linux (default) on mach.
* FC 1 package builds OK for --target i386-redhat-linux (default) on mach.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC1DK/JL4A+ldA7asRAoLuAKCS6gjN6+M1NRXeMaNa2E6liKzSggCgw+AW
zMI4Ndp74+9QsZqntnmcJVs=
=j4QQ
-----END PGP SIGNATURE-----
Comment 17 John Dalbec 2005-07-12 21:19:03 UTC 
Created attachment 116685 [details]
rpm-build-compare.sh output and patch file differences
Comment 18 Pekka Savola 2005-07-13 04:55:59 UTC 
Thanks!
Comment 19 Marc Deslauriers 2005-07-18 20:36:06 UTC 
It would be nice to get some fc2 packages for CAN-2004-1453 before we release
these so they can all be in the same advisory...see bug 146402
Comment 20 Pekka Savola 2005-07-19 13:21:15 UTC 
If you package a fix for FC2, I can give it a publish.  I doubt I do that
properly as I don't have access to a FC2 system.  (Well, I guess I could try
with 'rpmbuild -bs glibc.spec' but that could lead to problems..)
Comment 21 Pekka Savola 2005-07-20 16:09:19 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, here's a package for FC2 as well, available at
http://staff.csc.fi/psavola/fl/glibc-2.3.3-27.1.1.legacy.src.rpm

abb324b6aba5c573ed70cf0f9ba071afc9312e08 glibc-2.3.3-27.1.1.legacy.src.rpm

Note that this doesn't build (completely) on any of the OS versions I have,
but I think it should work..
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC3ncLGHbTkzxSL7QRAl3xAKCatGAeIKtyCs2Ji7zi+zuifMUE+wCcDK5Y
tC1SYGGuF2Iky4inEA9B0+I=
=GbGG
-----END PGP SIGNATURE-----
Comment 22 Pekka Savola 2005-07-20 16:10:13 UTC 
*** Bug 146402 has been marked as a duplicate of this bug. ***
Comment 23 Marc Deslauriers 2005-07-22 22:03:31 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC2 package:

abb324b6aba5c573ed70cf0f9ba071afc9312e08 glibc-2.3.3-27.1.1.legacy.src.rpm

- - Source files match previous release
- - Patch matches RHEL3 with minor differences
- - Spec file changes OK
- - Builds OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC4W09LMAs/0C4zNoRAtivAJ92VDB1T9Dhm5acW7scnO7O6uyv1ACgoFw6
L0X4zq0FDw2PQ69GcuVooE0=
=lbve
-----END PGP SIGNATURE-----
Comment 24 Marc Deslauriers 2005-07-23 00:25:46 UTC 
Has anyone gotten this to compile for i686 in mach?
Comment 25 Pekka Savola 2005-07-23 11:01:14 UTC 
I don't have mach, but.. how is it failing?
Comment 26 Marc Deslauriers 2005-07-23 16:52:24 UTC 
Here is the last lines of the rpm.log file:

rm -f /usr/src/rpm/BUILD/glibc-2.2.5/build-i686-linux/elf/symlink.list
test ! -x /usr/src/rpm/BUILD/glibc-2.2.5/build-i686-linux/elf/ldconfig ||
LC_ALL=C LANGUAGE=C \
  /usr/src/rpm/BUILD/glibc-2.2.5/build-i686-linux/elf/ldconfig -r
/var/tmp/glibc-2.2.5-root \
                               /lib /usr/lib
/usr/src/rpm/BUILD/glibc-2.2.5/build-i686-linux/elf/ldconfig: Can't open
configuration file /var/tmp/glibc-2.2.5-root/etc/ld.so.conf: No such file or
directory
make[1]: Leaving directory `/usr/src/rpm/BUILD/glibc-2.2.5'
make: Leaving directory `/usr/src/rpm/BUILD/glibc-2.2.5/build-i686-linux'
+ %patch64 -p1 -b .b1
/var/tmp/rpm-tmp.6903: fg: no job control
error: Bad exit status from /var/tmp/rpm-tmp.6903 (%install)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.6903 (%install)
Comment 27 Marc Deslauriers 2005-07-23 16:54:00 UTC 
I seem to recall we couldn't build it in mach last time either and I actually
built the updates on my test machines.
Comment 28 Pekka Savola 2005-07-23 17:26:39 UTC 
Well, glibc should (in theory) have 'Requires: glibc' line.  I don't know how
mach handles recursive buildrequirements.  It seems that some files provided by
glibc, like ld.so.conf aren't available in the build environment so it fails?
Comment 29 Marc Deslauriers 2005-08-13 22:43:47 UTC 
Well, I can't get it to build for i686 on a real rh7.3 either...something is
wrong...
Comment 30 Pekka Savola 2005-08-15 09:10:11 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
OK, sorry abou this.  The RHL73 update was a brown paperbag release.  A
couple of %patch lines were duplicated, but this is fixed now -- it compiles
fine under i686.
 
I also noted that there's also one misplaced "# Fedora Legacy security
patches" line in FC1 but that doesn't affect anything, and can be cleaned up
during build if even then.
 
Sorry about this mess.  The file is available at the same place as the
previos ones..
 
07d3afb3f32e1b4749bd9ebbf01f492220674962  glibc-2.2.5-44.legacy.6.src.rpm
 
Alternatively, you could instead manually apply the following changes to the
spec file:
 
@@ -64,8 +64,6 @@
 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh
  
 %description
- -# Fedora Legacy security patches
- -
 The glibc package contains standard libraries which are used by
 multiple programs on the system. In order to save disk space and
 memory, as well as to make upgrading easier, common system code is
@@ -312,8 +310,6 @@
 %endif
  
 %ifarch i686 athlon
- -%patch64 -p1 -b .b1
- -%patch66 -p1 -b .b2
  
  
 rm -rf build-%{_target_cpu}-linux2.4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDAFv4GHbTkzxSL7QRAr05AJ9KWduQhyLGmFL1cNMCQb/Z4T+G5ACeKnr3
ni18Zmv7H0o+qcJmMpV7QRA=
=loiC
-----END PGP SIGNATURE-----
Comment 31 Gilbert Sebenste 2005-08-19 15:07:30 UTC 
Hello all,

Just tried out this version on FC1, classic WORKSFORME. +PUBLISH FC1.

Gilbert
Comment 32 Marc Deslauriers 2005-09-15 02:07:10 UTC 
Packages were released to updates-testing
Comment 33 Tom Yates 2005-09-15 05:26:20 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

b4c28abc5d318f53f22772bc069665adc4f9d5f3 glibc-2.3.2-27.9.7.2.legacy.i686.rpm
8ea462b77d16513f0623409219cb297fa95fe6ba glibc-common-2.3.2-27.9.7.2.legacy.i386.rpm
b8fe3480b249761c468d4019c3b9ac0358068475 glibc-devel-2.3.2-27.9.7.2.legacy.i386.rpm
d20ce4f39ed7ffc6c8cb81c8a84b229a2158d81e glibc-utils-2.3.2-27.9.7.2.legacy.i386.rpm

install OK, sshd restarts OK, can still log in and use the machine (if
glibc went pear-shaped, i'd expect an awful lot of stuff to break).

+VERIFY RH9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDKQW1ePtvKV31zw4RArBSAJ90kJpXcSag+OtJg1PEerekxz3KfQCfXmfB
KgBQf8SiR1/G5q6bWSNl1Kc=
=BVXl
-----END PGP SIGNATURE-----
Comment 34 Pekka Savola 2005-09-15 05:36:39 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL73.  Glibc updates went in smoothly.  Logging in with SSH still
works fine; restarting SSHD and logging in works fine as well.  ++VERIFY
RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDKQiLGHbTkzxSL7QRAqRbAJ96h3qAg1PRQNLl2GCAsF4Wv6N8SACg0nlD
YpqkKNHKUf+3UNTbgH5mjww=
=b2gx
-----END PGP SIGNATURE-----


Thanks Tom.  Timeout in two weeks.
Comment 35 Jim Popovitch 2005-09-15 11:37:37 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFIED RH73

Installed smoothly, ssh/https/openssl all work well.

d7de4fd1bc7772fd83948515315c6f7f  glibc-2.2.5-44.legacy.6.i686.rpm
452ee17a3ef8759f240ab2907eba110b  glibc-common-2.2.5-44.legacy.6.i386.rpm
7406f6df0fea4a28b7d1da928c223116  glibc-devel-2.2.5-44.legacy.6.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)

iD8DBQFDKVziMyG7U7lo69MRAkTgAJ9ZZsuWMI80MxNDbdRg6TeiEsEVugCgp/GN
BsBzSVpr7/tTxtzBn32p1nw=
=VSnU
-----END PGP SIGNATURE-----
Comment 36 David Eisenstein 2005-09-23 00:07:00 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for glibc packages for Fedora Core 1:

Installed/Tested/Am Using:
=========================
ef743504f28c797cd9a807dd8a769a837eda8525  glibc-2.3.2-101.4.2.legacy.i386.rpm
ca70e82a96ad014145357feb9b8b3222314afd7e  nscd-2.3.2-101.4.2.legacy.i386.rpm
cf814c1e573db45e76b63bce49b40876fdd42e28  glibc-common-2.3.2-101.4.2.legacy.
					  i386.rpm

Installed, compared with previous version:
=========================================
00809ff8abcf096091592e065dbc859a1fc413bd  glibc-devel-2.3.2-101.4.2.legacy.
					  i386.rpm
8417a8697d7929e866cd48be44bcd4e9b29ef8a2  glibc-headers-2.3.2-101.4.2.legacy.
					  i386.rpm

  * Installs well
  * Works well
  * No problems noticed; ssh, sshd work fine (was glibc breaking them?)
  * Great job, Marc!

VERIFY FC1 ++

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDM0cXxou1V/j9XZwRAiabAJ9xyWhwFhRIIzJNsumFwEC6JG0uBQCgxcth
EL2vqYfWPMpoPGTfaOrHie0=
=OFdM
-----END PGP SIGNATURE-----
Comment 37 Pekka Savola 2005-10-01 04:21:45 UTC 
Timeout over.
Comment 38 David Eisenstein 2005-10-14 14:15:39 UTC 
What are the chances that we could also fix another bug with the RH7.3 and
possibly the RH9 versions of the packages?  An end-user I talked with on IRC
indicated that the timezone information in RH7.3's and RH9's glibc-common's
tzdata is about to become incorrect due to U.S. Congressional changes to the
start and end dates of Daylight Savings time.  User <poushag> says we should
refer to 2005m-1 tzdata package for the newer FC builds.

More information is available on the time-zone changes fix at 
http://www.redhat.com/archives/fedora-announce-list/2005-September/msg00022.html
(Fedora Update Notification FEDORA-2005-856) for the Fedora Core 4 package
tzdata-2005m-1.fc4.src.rpm, upon which our changes may need to be based.

Thanks to <poushag> for bringing this to our attention.
Comment 39 Pekka Savola 2005-11-13 17:26:02 UTC 
Is there a particular reason why this hasn't been pushed out yet?

David, that fix seems to apply only starting from 2007.  If anyone even cares
about this then, maybe we could fix it in the next security patch :).  I don't
think this is a sufficient reason to stall at the moment.
Comment 40 David Eisenstein 2005-11-13 23:33:02 UTC 
I agree, Pekka.  I've talked it over also with Jesse (and I think Marc) on IRC,
and we all seem to agree that these packages just need to be pushed to updates,
and we can take care of timezone changes in a future security update.

Just wanted to make sure <poushag> got his bid in.

Timezone changes for RH7.3 and RH9 happen in the main glibc src.rpm.  Timezone
changes for FC1 and FC2 and newer distros, if I recall, are in separate tzdata
{src,i386}.rpms.  Timezone stuff may have security implications and are impor-
tant, but are not urgent.
Comment 41 Marc Deslauriers 2005-11-14 04:18:18 UTC 
packages were released