Patch Name: PHCO_28481 Patch Description: s700_800 11.11 cumulative 10.20 libc compatibility support Creation Date: 03/11/23 Post Date: 03/12/12 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: N/A Filesets: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: Yes PHCO_28481: HANG ABORT PHCO_25898: ABORT CORRUPTION PHCO_24145: CORRUPTION Category Tags: defect_repair general_release critical halts_system corruption Path Name: /hp-ux_patches/s700_800/11.X/PHCO_28481 Symptoms: PHCO_28481: Host name processing for rlogin/remsh/rexec is not working properly. JAGaa27187; SR 8606311409 Username processing for rlogin/remsh/rexec is not working properly. JAGad27794; SR 8606158464 Problem with libc library resolver routines. JAGae35468; SR 8606271239 Problem with gethostby* resolver code. JAGae37148; SR 8606273042 The library libc does not function properly. JAGae38579; SR 8606274502 showmount dumps core with SIGSEGV under certain circumstances. JAGae38632; SR 8606274555 The ypmatch command hangs if it is passed a key with a size greater than 330 bytes. JAGae45826; SR 8606281883 Memory based XDR stream implementations do not function properly. JAGae55409; SR 8606291642 Superuser cannot restrict the paths set in the NLSPATH environment variable for setuid root programs which are using catopen(3C) and executed by others. JAGae75035; SR 8606312216 Some of the XDR routines do not function properly. JAGae75654; SR 8606312847 Calloc(3C) miscalulates the requirement. JAGae75950; SR 8606313152 PHCO_25898: popen() fails with CMA applications when _VFORK_NO_CMA is set. JAGad94650; SR 8606225567 regexec() does not handle multibyte characters correctly. JAGad74356; SR 8606205180 getcwd() core dumps when compiled with -z option. JAGab95031; SR 8606112895 PHCO_24145: vfork() in a threaded environment behaves like fork() system call JAGad53376; SR 8606184167 program coredumps while running basename JAGad50843; SR 8606181627 10.20 program using basename(3C) or dirname(3C) dumped core on 11.11 JAGad63107; SR 8606193897 Defect Description: PHCO_28481: The services rlogin/remsh/rexec use the rcmd()/rexec() libc call. These services fail because rcmd() does not process host names properly. Resolution: rcmd() now handles host names properly. JAGaa27187; SR 8606311409 The services rlogin/remsh/rexec use the rcmd()/rexec() libc call. These services fail because rcmd() does not process user names properly. Resolution: rcmd() now handles user names properly. JAGad27794; SR 8606158464 Under certain circumstances, the resolver incorrectly calculates the available buffer size. Resolution: The buffer size is now calculated properly. JAGae35468; SR 8606271239 Under certain circumstances, large size packets received by the resolver were not handled properly. Resolution: The resolver now properly handles packets of large size. JAGae37148; SR 8606273042 The library libc does not function properly. Resolution: Modified the libc code to correct the problem. JAGae38579; SR 8606274502 showmount dumps core with SIGSEGV under certain circumstances. Resolution: Added code to address the problem. JAGae38632; SR 8606274555 When the ypmatch searches the hostname from the hosts.byname map, ypbind is contacted to get a client handle which has a small send size. When a RPC call is made by ypmatch, XDR returns a RPC_CANTENCODEARGS error, which causes multiple retries in ypmatch. Resolution: Increased the send size in ypbind, and modified the logic in ypmatch to flag an error if the key size exceeds the maximum limit. JAGae45826; SR 8606281883 XDR stream manipulation is not handled correctly in some cases. Resolution: Modified the XDR code to correct the problem. JAGae55409; SR 8606291642 Catopen(3C) uses the paths listed in the NLSPATH environment variable for opening the specified catalog file. There is no option for the superuser to restrict the paths listed in NLSPATH. Resolution: Catopen(3C) has been modified to restrict the paths listed in the NLSPATH environment variable. The restrictions are in effect for setuid programs owned by root and executed by others. A new configuration file, "/etc/default/nlspath", allows the superuser to restrict the paths set by others in the NLSPATH environment variable. This file contains only one entry with the following format: NLSPATH=pseudo-pathname:pseudo-pathname:... Pseudo-pathnames must be separated by a colon. If "/etc/default/nlspath" contains NLSPATH=*, the restrictions do not apply hence the behavior is unchanged. Value assigned to NLSPATH in the configuration file should follow the convention of setting environment variable NLSPATH. See man page for environ(5). The paths that are available both in configuration file and the environment variable is considered for path search while using catopen(3C). Any setuid programs owned by root which are using catopen(3C), depending on the environment variable NLSPATH and executed by others may break once the patch is installed. JAGae75035; SR 8606312216. Some of the XDR routines doing faulty length checks in some cases. Resolution: Code changes have been made to fix the defect. JAGae75654; SR 8606312847 calloc(3C) miscalulates the requirement. Resolution: Modified the code to calculate the requirement accurately. JAGae75950; SR 8606313152 PHCO_25898: popen() call fails when the _VFORK_NO_CMA environment variable is set. Resolution: The calls to close() system call from popen() which were routed through the cma wrappers were causing the problem in the application which was linked with libcma and with the environment variable _VFORK_NO_CMA set. This has now been changed to go through the direct system call interface. JAGad94650; SR 8606225567 regexec() does not handle multibyte characters correctly. Resolution: The regexec backtracking logic currently does not take multibyte scenario into consideration and goes back byte by byte. Now the code has been changed to take care of multibyte backtracking. JAGad74356; SR 8606205180 coredump in getcwd() is the result of a NULL pointer dereferencing. Resolution: When the directory doesn't have read permissions, opendir(".") call within getcwd() returns NULL. Without checking for this return value, the pointer was being dereferenced. So, now, a check has been added to detect this condition. If this condition is detected getcwd() returns to the calling function after cleanup. JAGab95031; SR 8606112895 PHCO_24145: Whenever vfork is called in a threaded environment it ends up calling cma_fork which behaves like a normal fork system call. Resolution: The problem occurs, because currently the 'vfork()' call is converted to 'cma_fork()' when the application is linked with libcma. This 'cma_fork()' in turn calls the 'fork()' system call, which results in copying both TEXT and DATA segments to the child thus causing the problems for customer application. To fix this problem, we have introduced the new environment variable called '_VFORK_NO_CMA' in libc. If this variable is set, then the vfork() stub in libc will directly call the actual vfork system call and won't go thru' the cma wrapper 'cma_fork'. We retained the default behaviour as it is rightnow, to avoid the risk of breaking any existing customer applications that assume fork semantics for vfork. So, the applications will get the new behaviour for vfork() only if they set this environment variable. Also, the exec wrapper in libcma has been changed not to modify any data, if the child was created as a result of vfork(). This is needed as both parent & child share the same data segment and we could possibly corrupt the parent data space. JAGad53376; SR 8606184167 Program coredumping when compiled archive and used argv[0] as an argument. Resolution: A program was compiled archived and used argv[0] as an argument. The reason is argv[0] is at the start of a page boundary and the previous code step one byte past the begining of the string ... and took a core dump. Now we stop at the begining of the string and if the string starts with a "/", we increment past the "/" and no core dump. JAGad50843; SR 8606181627 Program coredumps when argv[0] is given as argument for dirname(3C) if the PATH environment variable is set as PATH=.:$PATH Resolution: The 10.20 version of basename(char *path) and dirname (char *path) can try to read at (path-1), which they should not do. This defect has been fixed in 11.00. Now the fix is backported to 10.20 JAGad63107; SR 8606193897 Enhancement: No SR: 8606313152 8606312847 8606312216 8606291642 8606281883 8606274555 8606274502 8606273042 8606271239 8606158464 8606311409 8606225567 8606205180 8606112895 8606193897 8606181627 8606184167 Patch Files: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/lib/libc.1 what(1) Output: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/lib/libc.1: PATCH-PHCO_26158 for 10.20; for 10.30, 11.x compatib ility libc.1_ID@@/main/r10dav/libc_dav/libc_ dav_cpe//1 /ux/core/libs/libc/shared_pa1/libc.1_ID Jun 12 2003 02:51:40 cksum(1) Output: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: 263879543 1871872 /usr/lib/libc.1 Patch Conflicts: None Patch Dependencies: s700: 11.11: PHCO_28427 s800: 11.11: PHCO_28427 Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_24145 PHCO_25898 Equivalent Patches: None Patch Package Size: 770 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_28481 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_28481.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_28481. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_28481.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_28481.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_28481.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: If libc patches are installed without rebooting, applications currently running which are linked shared against libc will still continue using the former version of libc. If this presents a problem to any applications, you should reboot.