Security Advisory glibc security update

Advisory: RHSA-2003:249-11
Type: Security Advisory
Severity: Important
Issued on: 2003-08-22
Last updated on: 2003-08-22
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
OVAL: N/A
CVEs (cve.mitre.org): CVE-2003-0689

Details

Updated glibc packages that fix a number of bugs as well as a buffer
overflow issue are now available.

The GNU libc package (known as glibc) contains the standard C libraries
used by applications.

A bug in the getgrouplist function can cause a buffer overflow if
the size of the group list is too small to hold all the user's groups.
This overflow can cause segmentation faults in user applications, which may
have security implications, depending on the application in question. This
vulnerability exists only when an administrator has placed a user in a
number of groups larger than that expected by an application. Therefore,
there is no risk in instances where users are members of few groups. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0689 to this issue.

In addition, a number of other bugs in glibc have been fixed:

- An error prevented gdb from correctly debugging programs linked to
libpthread.

- A race condition existed in the malloc routine for IA64 platforms, which
could cause memory corruption.

- An error in pthread_spinlocks prevents spinlocks from functioning
correctly on IA64 platforms.

All users should upgrade to these errata packages, which contain patches to
the glibc libraries correcting these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
glibc-2.2.4-32.8.src.rpm     779b9371ed6f3df44413d43439aedcdb
 
IA-32:
glibc-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     a45f96f4d14dc6a7411699dae7929c2b
glibc-2.2.4-32.8.i686.rpm
File outdated by:  RHEA-2006:0279		     ef0c8b62114ffdde63dafd6253c7e9d1
glibc-common-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     4307ee9036a34fc75ac369b54560e8b8
glibc-devel-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     d2a171dc3f0e406acb3089edc70add67
glibc-profile-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     ed1d806491ef9bc28f435a7e6c8c8392
nscd-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     7ada51ed827ebc1091f05c83186f0597
 
IA-64:
glibc-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     3001471f06cdeb6dbe12a2dca31401a5
glibc-common-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     55f60657c2b2f320e2393f6441de56a2
glibc-devel-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     6e359bee323035b993214b6bfb89e903
glibc-profile-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     b17a6bdc87d729cd39b767694cdb8a26
nscd-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     74d03cd22fe036b2f181d3f6528b97fa
 
Red Hat Enterprise Linux ES (v. 2.1)
SRPMS:
glibc-2.2.4-32.8.src.rpm     779b9371ed6f3df44413d43439aedcdb
 
IA-32:
glibc-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     a45f96f4d14dc6a7411699dae7929c2b
glibc-2.2.4-32.8.i686.rpm
File outdated by:  RHEA-2006:0279		     ef0c8b62114ffdde63dafd6253c7e9d1
glibc-common-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     4307ee9036a34fc75ac369b54560e8b8
glibc-devel-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     d2a171dc3f0e406acb3089edc70add67
glibc-profile-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     ed1d806491ef9bc28f435a7e6c8c8392
nscd-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     7ada51ed827ebc1091f05c83186f0597
 
Red Hat Enterprise Linux WS (v. 2.1)
SRPMS:
glibc-2.2.4-32.8.src.rpm     779b9371ed6f3df44413d43439aedcdb
 
IA-32:
glibc-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     a45f96f4d14dc6a7411699dae7929c2b
glibc-2.2.4-32.8.i686.rpm
File outdated by:  RHEA-2006:0279		     ef0c8b62114ffdde63dafd6253c7e9d1
glibc-common-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     4307ee9036a34fc75ac369b54560e8b8
glibc-devel-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     d2a171dc3f0e406acb3089edc70add67
glibc-profile-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     ed1d806491ef9bc28f435a7e6c8c8392
nscd-2.2.4-32.8.i386.rpm
File outdated by:  RHEA-2006:0279		     7ada51ed827ebc1091f05c83186f0597
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
glibc-2.2.4-32.8.src.rpm     779b9371ed6f3df44413d43439aedcdb
 
IA-64:
glibc-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     3001471f06cdeb6dbe12a2dca31401a5
glibc-common-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     55f60657c2b2f320e2393f6441de56a2
glibc-devel-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     6e359bee323035b993214b6bfb89e903
glibc-profile-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     b17a6bdc87d729cd39b767694cdb8a26
nscd-2.2.4-32.8.ia64.rpm
File outdated by:  RHEA-2006:0279		     74d03cd22fe036b2f181d3f6528b97fa
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

101691 - Buffer overrun in getgrouplist function in initgroups.c
101998 - Broken pthread_spinlocks
82640 - Gdb unable to debug threaded apps
90672 - RHEL 3 and RHELAS2.1 QU3 IPF errata: Corrupted linked list due to memory ordering issues


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0689

Keywords

barrier, debugging, linuxthreads_db, malloc, threads

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/