Users login

Create an account »


Users login

Home » Hacking News » CLA-2002:535-Conectiva Linux Security Announcement - glibc

CLA-2002:535-Conectiva Linux Security Announcement - glibc

by Nikola Strahija on November 7th, 2002 The GNU C Library (glibc) is the standard library used by almost any program in a common GNU/Linux system. This announcement addresses four security vulnerabilities in glibc and also fixes the Brazilian timezone regarding the daylight saving time.


1. XDR integer overflow [2][3]
There is an integer overflow in the xdr_array() function derived from
Sun's XDR library. This overflow can lead to memory being allocated
with the wrong size, which will most likely cause buffer overflows
later on depending on how applications use the allocated memory. The
krb5 package also contains the vulnerable code and was already fixed
in a previous announcement[10].

2. Resolver read buffer overflow[4][5]
There is a vulnerability in the way the resolver res_* family of
functions contained in glibc and other BIND derived code are commonly
used. These functions place their answer in a caller-supplied buffer.
If this buffer is too small, the answer is truncated and the caller
can check what the actual size should be by reading the return value
of the function. Some callers, though, incorrectly take this value as
the size of the buffer and may then read beyond its end, eventually
causing a segmentation fault or some other kind of error.
Thanks to Olaf Kirch for sharing a patch to fix this problem.

3. calloc(3) integer overflow[6]
calloc(3) is vulnerable to an integer overflow when multiplying the
number of elements by the size of each element. This operation was
not being verified and could result in less memory than needed to be
allocated. Subsequent uses of this buffer would most likely result in
buffer overflows.

4. Possible information leak[7]
Dmitry V. Levin spotted a possible information leak with undersized
DNS responses, for which Solar Designer created a patch.

Daylight saving time ("summer time") update

On Octover 1st, 2002 the dates when daylight saving time will begin
and end have finally been published[8] (a little more than 30 days of
advance notice). These dates have been inserted in glibc's zoneinfo

Historicaly the dates on which the daylight saving time starts and
ends have always been choosen from year to year and are seldom the
same. The National Observatory is conducting a poll[9] about this and
we ask our users to take that poll and also manifest their opinion
about the randomness with which these dates seem to be choosen. With
luck, this kind of update will no longer be necessary in the future.

It is recommended that all users upgrade their glibc packages. To fix
the timezone regarding the daylight saving time in Brazil, please run
the "timeconfig" tool after the update and re-select your timezone.

IMPORTANT: all applications that were already running before the
update must now be restarted. The following command will list those
applications in the first column of the screen:

lsof | grep ;

If there is any doubt about which applications should be restarted,
we recommend that the system be rebooted.

6. http://CERT.Uni-Stuttgart.DE/advisories/calloc.php


Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
Instructions on how to check the signatures of the RPM packages can be
found at
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »