Bug 18007 (CVE-2014-8121)

Summary: nss state sharing causes application denial of service (CVE-2014-8121)
Product: glibc Reporter: Florian Weimer <fweimer>
Component: networkAssignee: Florian Weimer <fweimer>
Status: RESOLVED FIXED    
Severity: normal CC: vapier, xiaoyang
Priority: P2 Flags: fweimer: security+
Version: 2.21   
Target Milestone: 2.22   
See Also: https://sourceware.org/bugzilla/show_bug.cgi?id=18356
https://bugs.gentoo.org/show_bug.cgi?id=552692
Host: Target:
Build: Last reconfirmed:
Bug Depends on: 18991    
Bug Blocks:    

Description Florian Weimer 2015-02-23 11:24:17 UTC
Robin Hack discovered that Samba would enter an infinite loop when processing quota-related requests.  It turns out this is a bug in the nss_files database.  Performing a lookup in the middle of an iteration (say, getwuid between getpwent) effectively resets the file pointer, so that the iteration starts again from the beginning.

I'll post a patch to libc-alpha shortly.
Comment 1 Andreas Schwab 2015-02-23 12:03:13 UTC
Why is samba still using getpwent?
Comment 2 Florian Weimer 2015-02-23 12:06:01 UTC
(In reply to Andreas Schwab from comment #1)
> Why is samba still using getpwent?

It seems that the SMB protocol has a service related to quota enumeration which maps poorly to the POSIX APIs in this area.
Comment 3 Sourceware Commits 2015-04-29 13:03:41 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  03d2730b44cc2236318fd978afa2651753666c55 (commit)
      from  7d0b2575416aec2717e8665287d0ab77826a0ade (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=03d2730b44cc2236318fd978afa2651753666c55

commit 03d2730b44cc2236318fd978afa2651753666c55
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    …
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    …
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |    8 +++
 NEWS                      |   12 +++--
 nss/Makefile              |    2 +-
 nss/nss_files/files-XXX.c |    2 +-
 nss/tst-nss-getpwent.c    |  118 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 136 insertions(+), 6 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c
Comment 4 Florian Weimer 2015-04-29 13:12:09 UTC
Fixed in glibc 2.22.
Comment 5 Andreas Schwab 2015-04-29 13:22:14 UTC
Not fixed.
Comment 6 Florian Weimer 2015-04-29 13:26:58 UTC
(In reply to Andreas Schwab from comment #5)
> Not fixed.

This bug covers a very specific scenario, based on the CVE description.  If we fix different things under the same CVE name, we will cause confusion, and some downstreams will miss the other fixes.  I have filed bug 18356 to cover the other issues.
Comment 7 Andreas Schwab 2015-04-29 13:32:31 UTC
The test fails.
Comment 8 Sourceware Commits 2015-05-11 08:45:20 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  b13b96ca05a132a12dc5f3712b99e626670716bf (commit)
      from  e1b6cb04f5efff7fb7415c69511d3ab3c31c6e4a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b13b96ca05a132a12dc5f3712b99e626670716bf

commit b13b96ca05a132a12dc5f3712b99e626670716bf
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Mar 25 16:35:46 2015 +0100

    Separate internal state between getXXent and getXXbyYY NSS calls (bug 18007)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                    |   38 +++++++++++++++
 NEWS                         |    7 +--
 nis/nss_compat/compat-grp.c  |    6 +-
 nis/nss_compat/compat-pwd.c  |    6 +-
 nis/nss_compat/compat-spwd.c |   16 +++---
 nss/nss_files/files-XXX.c    |  109 ++++++++++-------------------------------
 nss/nss_files/files-alias.c  |   90 +++++++++++-----------------------
 nss/nss_files/files-hosts.c  |   35 ++++---------
 8 files changed, 122 insertions(+), 185 deletions(-)
Comment 9 Andreas Schwab 2015-05-11 08:48:23 UTC
Fixed now.
Comment 10 Sourceware Commits 2015-05-25 19:17:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, ibm/2.20/master has been updated
       via  0a512fb591621e2c26efaf5ecc95e87763978386 (commit)
       via  9dc3dd905a5612717ed4b577b7f07294bff614f4 (commit)
      from  2aad087ddc0d14214f3d8fd1731a9b2e15f75091 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0a512fb591621e2c26efaf5ecc95e87763978386

commit 0a512fb591621e2c26efaf5ecc95e87763978386
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Mar 25 16:35:46 2015 +0100

    Separate internal state between getXXent and getXXbyYY NSS calls (bug 18007)
    
    Conflicts:
    	NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9dc3dd905a5612717ed4b577b7f07294bff614f4

commit 9dc3dd905a5612717ed4b577b7f07294bff614f4
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    …
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    …
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.
    
    Conflicts:
    	NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                    |   46 ++++++++++++++++
 NEWS                         |    6 ++-
 nis/nss_compat/compat-grp.c  |    6 +-
 nis/nss_compat/compat-pwd.c  |    6 +-
 nis/nss_compat/compat-spwd.c |   16 +++---
 nss/Makefile                 |    2 +-
 nss/nss_files/files-XXX.c    |  109 ++++++++++-----------------------------
 nss/nss_files/files-alias.c  |   90 ++++++++++----------------------
 nss/nss_files/files-hosts.c  |   35 ++++---------
 nss/tst-nss-getpwent.c       |  118 ++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 251 insertions(+), 183 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c
Comment 11 Sourceware Commits 2015-05-26 14:20:36 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, ibm/2.19/master has been updated
       via  a9a40adad97c1259f4eb0f768278cc2070c014e1 (commit)
       via  ed21c85d5090667e3ab7d3a7e98dde43842aa70c (commit)
      from  19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a9a40adad97c1259f4eb0f768278cc2070c014e1

commit a9a40adad97c1259f4eb0f768278cc2070c014e1
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Mar 25 16:35:46 2015 +0100

    Separate internal state between getXXent and getXXbyYY NSS calls (bug 18007)
    
    Conflicts:
    	NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ed21c85d5090667e3ab7d3a7e98dde43842aa70c

commit ed21c85d5090667e3ab7d3a7e98dde43842aa70c
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    …
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    …
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.
    
    Conflicts:
    	NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                    |   46 ++++++++++++++++
 NEWS                         |    6 ++-
 nis/nss_compat/compat-grp.c  |    6 +-
 nis/nss_compat/compat-pwd.c  |    6 +-
 nis/nss_compat/compat-spwd.c |   16 +++---
 nss/Makefile                 |    2 +-
 nss/nss_files/files-XXX.c    |  109 ++++++++++-----------------------------
 nss/nss_files/files-alias.c  |   90 ++++++++++----------------------
 nss/nss_files/files-hosts.c  |   35 ++++---------
 nss/tst-nss-getpwent.c       |  118 ++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 251 insertions(+), 183 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c
Comment 12 Sourceware Commits 2015-05-26 20:54:53 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, ibm/2.18/master has been updated
       via  335863ea7cbc2c4c2a1947039565b781cf488a8f (commit)
       via  53d405329ab189725e72b317f18cd939c6ad240a (commit)
      from  3c7fb252298c48ef424e65fe63ea818d688f1088 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=335863ea7cbc2c4c2a1947039565b781cf488a8f

commit 335863ea7cbc2c4c2a1947039565b781cf488a8f
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Mar 25 16:35:46 2015 +0100

    Separate internal state between getXXent and getXXbyYY NSS calls (bug 18007)
    
    Conflicts:
    	NEWS
    	nss/nss_files/files-hosts.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=53d405329ab189725e72b317f18cd939c6ad240a

commit 53d405329ab189725e72b317f18cd939c6ad240a
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    …
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    …
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.
    
    Conflicts:
    	NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                    |   46 ++++++++++++++++
 NEWS                         |    6 ++-
 nis/nss_compat/compat-grp.c  |    6 +-
 nis/nss_compat/compat-pwd.c  |    6 +-
 nis/nss_compat/compat-spwd.c |   16 +++---
 nss/Makefile                 |    2 +-
 nss/nss_files/files-XXX.c    |  109 ++++++++++-----------------------------
 nss/nss_files/files-alias.c  |   90 ++++++++++----------------------
 nss/nss_files/files-hosts.c  |   44 +++++----------
 nss/tst-nss-getpwent.c       |  118 ++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 255 insertions(+), 188 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c
Comment 13 Sourceware Commits 2015-08-05 06:47:33 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The annotated tag, glibc-2.22 has been created
        at  be75ddf5e4dfab2aa4ceb2428cc146e7ea26a346 (tag)
   tagging  78bd7499af46d739ce94410eaeea006e874ca9e5 (commit)
  replaces  glibc-2.21
 tagged by  Carlos O'Donell
        on  Wed Aug 5 02:45:12 2015 -0400

- Log -----------------------------------------------------------------
The GNU C Library
=================

The GNU C Library version 2.22 is now available.

The GNU C Library is used as *the* C library in the GNU system and
in GNU/Linux systems, as well as many other systems that use Linux
as the kernel.

The GNU C Library is primarily designed to be a portable
and high performance C library.  It follows all relevant
standards including ISO C11 and POSIX.1-2008.  It is also
internationalized and has one of the most complete
internationalization interfaces known.

The GNU C Library webpage is at http://www.gnu.org/software/libc/

Packages for the 2.22 release may be downloaded from:
        http://ftpmirror.gnu.org/libc/
        http://ftp.gnu.org/gnu/libc/

The mirror list is at http://www.gnu.org/order/ftp.html

NEWS for version 2.22
=====================

* The following bugs are resolved with this release:

  438, 4719, 6544, 6792, 11216, 12836, 13028, 13064, 13151, 13152, 14094,
  14292, 14841, 14906, 14958, 15319, 15467, 15790, 15969, 16159, 16339,
  16350, 16351, 16352, 16353, 16361, 16512, 16526, 16538, 16559, 16560,
  16704, 16783, 16850, 17053, 17090, 17195, 17269, 17293, 17322, 17403,
  17475, 17523, 17542, 17569, 17581, 17588, 17596, 17620, 17621, 17628,
  17631, 17692, 17711, 17715, 17776, 17779, 17792, 17833, 17836, 17841,
  17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965, 17967, 17969,
  17977, 17978, 17987, 17991, 17996, 17998, 17999, 18007, 18019, 18020,
  18029, 18030, 18032, 18034, 18036, 18038, 18039, 18042, 18043, 18046,
  18047, 18049, 18068, 18080, 18093, 18100, 18104, 18110, 18111, 18116,
  18125, 18128, 18134, 18138, 18185, 18196, 18197, 18206, 18210, 18211,
  18217, 18219, 18220, 18221, 18234, 18244, 18245, 18247, 18287, 18319,
  18324, 18333, 18346, 18371, 18383, 18397, 18400, 18409, 18410, 18412,
  18418, 18422, 18434, 18444, 18457, 18468, 18469, 18470, 18479, 18483,
  18495, 18496, 18497, 18498, 18502, 18507, 18508, 18512, 18513, 18519,
  18520, 18522, 18527, 18528, 18529, 18530, 18532, 18533, 18534, 18536,
  18539, 18540, 18542, 18544, 18545, 18546, 18547, 18549, 18553, 18557,
  18558, 18569, 18583, 18585, 18586, 18592, 18593, 18594, 18602, 18612,
  18613, 18619, 18633, 18641, 18643, 18648, 18657, 18676, 18694, 18696.

* Cache information can be queried via sysconf() function on s390 e.g. with
  _SC_LEVEL1_ICACHE_SIZE as argument.

* A buffer overflow in gethostbyname_r and related functions performing DNS
  requests has been fixed.  If the NSS functions were called with a
  misaligned buffer, the buffer length change due to pointer alignment was
  not taken into account.  This could result in application crashes or,
  potentially arbitrary code execution, using crafted, but syntactically
  valid DNS responses.  (CVE-2015-1781)

* The time zone file parser has been made more robust against crafted time
  zone files, avoiding heap buffer overflows related to the processing of
  the tzh_ttisstdcnt and tzh_ttisgmtcnt fields, and a stack overflow due to
  large time zone data files.  Overly long time zone specifiers in the TZ
  variable no longer result in stack overflows and crashes.

* A powerpc and powerpc64 optimization for TLS, similar to TLS descriptors
  for LD and GD on x86 and x86-64, has been implemented.  You will need
  binutils-2.24 or later to enable this optimization.

* Character encoding and ctype tables were updated to Unicode 7.0.0, using
  new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red
  Hat).  These updates cause user visible changes, such as the fix for bug
  17998.

* CVE-2014-8121 The NSS backends shared internal state between the getXXent
  and getXXbyYY NSS calls for the same database, causing a denial-of-service
  condition in some applications.

* Added vector math library named libmvec with the following vectorized x86_64
  implementations: cos, cosf, sin, sinf, sincos, sincosf, log, logf, exp, expf,
  pow, powf.
  The library can be disabled with --disable-mathvec. Use of the functions is
  enabled with -fopenmp -ffast-math starting from -O1 for GCC version >= 4.9.0.
  Shared library libmvec.so is linked in as needed when using -lm (no need to
  specify -lmvec explicitly for not static builds).
  Visit <https://sourceware.org/glibc/wiki/libmvec> for detailed information.

* A new fmemopen implementation has been added with the goal of POSIX
  compliance. The new implementation fixes the following long-standing
  issues: BZ#6544, BZ#11216, BZ#12836, BZ#13151, BZ#13152, and BZ#14292. The
  old implementation is still present for use be by existing binaries.

* The 32-bit sparc sigaction ABI was inadvertently broken in the 2.20 and 2.21
  releases.  It has been fixed to match 2.19 and older, but binaries built
  against 2.20 and 2.21 might need to be recompiled.  See BZ#18694.

* Port to Native Client running on ARMv7-A (--host=arm-nacl).
  Contributed by Roland McGrath (Google).

Contributors
============

This release was made possible by the contributions of many people.
The maintainers are grateful to everyone who has contributed
changes or bug reports.  These include:

Adhemerval Zanella
Alan Modra
Alexandre Oliva
Andreas Schwab
Andrew Senkevich
Andriy Rysin
Arjun Shankar
Aurelien Jarno
Benno Schulenberg
Brad Hubbard
Carlos O'Donell
Chris Metcalf
Christian Schmidt
Chung-Lin Tang
Cong Wang
Cyril Hrubis
Daniel Marjamäki
David S. Miller
Dmitry V. Levin
Eric Rannaud
Evangelos Foutras
Feng Gao
Florian Weimer
Gleb Fotengauer-Malinovskiy
H.J. Lu
Igor Zamyatin
J William Piggott
James Cowgill
James Lemke
John David Anglin
Joseph Myers
Kevin Easton
Khem Raj
Leonhard Holz
Mark Wielaard
Marko Myllynen
Martin Galvan
Martin Sebor
Matthew Fortune
Mel Gorman
Mike Frysinger
Miroslav Lichvar
Nathan Lynch
Ondřej Bílka
Paul Eggert
Paul Pluzhnikov
Pavel Kopyl
Pravin Satpute
Rajalakshmi Srinivasaraghavan
Rical Jasan
Richard Henderson
Roland McGrath
Rüdiger Sonderfeld
Samuel Thibault
Siddhesh Poyarekar
Stefan Liebler
Steve Ellcey
Szabolcs Nagy
Torvald Riegel
Tulio Magno Quites Machado Filho
Vincent Bernat
Wilco Dijkstra
Yaakov Selkowitz
Zack Weinberg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJVwbEHAAoJECXvCkNsKkr//nwH/RbC+AmWbbrY7POeygVVxZVv
6ww/s4WOx3MJc0VNhQucelDCmRVRfKdoqtiex2bcysOiK2mv6K4efgYV7dkilT5O
NhpjENGE2qCvRIeplmDdGDBTLwhxwcQoQXrFYtcayEXpeCHoJjSzY9PyeNWGvmLM
eEah8kVPh6FsNf/YD28MXtChCpfoZf5IrVhXvn7+f2zPjUEy1PuHmo2kU9LzoCRu
q3xtd8ICpVkAvFCoUnN7YEOITj3g9Qd+zGebfj8LpVL5zoQs9n2egSv+jIdNGQVI
XuQ+oVXuMd9ho1p6LayZpTsY19jALxgk8ysnTzBofi+1Zkc8FTEB0fFdplDIwMg=
=9uQ7
-----END PGP SIGNATURE-----

Adhemerval Zanella (36):
      powerpc: multiarch Makefile cleanup for powerpc64
      powerpc: Simplify bcopy default implementation
      powerpc: Remove POWER7 wordcopy ifunc
      powerpc: wordcopy/memmove cleanup for ppc64
      powerpc: multiarch Makefile cleanup for powerpc32
      powerpc: wordcopy/memmove cleanup for ppc32
      powerpc: sysdeps/powerpc configure cleanup
      powerpc: drop R_PPC_REL16 check
      powerpc: Fix TABORT encoding for little endian
      powerpc: Fix memmove static build
      powerpc: Fix inline feraiseexcept, feclearexcept macros
      Update powerpc-fpu ULPs.
      powerpc: Fix incorrect results for pow when using FMA
      powerpc: Remove HAVE_ASM_GLOBAL_DOT_NAME define
      powerpc: Fix __wcschr static build
      libc-vdso.h place consolidation
      Fix non-portable echo usage in sysdeps/unix/make-syscalls.sh
      Add BZ #16704 as fixed
      Fix stdlib/tst-setcontext3 with dash [BZ#18418]
      i386: Remove six-argument specialized implementations
      Remove socket.S implementation
      Consolidate vDSO macros and usage
      Consolidate gettimeofday across aarch64/s390/tile
      Update powerpc-fpu libm-test-ulps.
      Fix ChangeLog entry
      x86: clock_gettime and timespec_get vDSO cleanup
      Use inline syscalls for non-cancellable versions
      nptl: Rewrite cancellation macros
      Consolidate sched_getcpu
      x86: Remove vsyscall usage
      libio: fmemopen rewrite to POSIX compliance
      libio: Update tst-fmemopen2.c
      libio: Update powerpc64le libc.abilist
      Avoid C++ tests when the C++ cannot be linked
      libio: Fix fmemopen 'w' mode with provided buffer
      Update powerpc-fpu libm-test-ulps.

Alan Modra (5):
      Fix localplt test breakage with new readelf
      Remove HAVE_ASM_PPC_REL16 references
      powerpc64 configure message
      powerpc __tls_get_addr call optimization
      Harden powerpc64 elf_machine_fixup_plt

Alexandre Oliva (6):
      Unicode 7.0.0 update; added generator scripts.
      Amendments to Unicode 7 update.
      BZ #15969: search locale archive again after alias expansion
      Fix constness error just introduced in findlocale.
      Avoid unsafe loc_name type casts with additional variable
      Fix DTV race, assert, DTV_SURPLUS Static TLS limit, and nptl_db garbage

Andreas Schwab (16):
      Fix value of O_TMPFILE for architectures with non-default O_DIRECTORY (bug 17912)
      Filter out PTHREAD_MUTEX_NO_ELISION_NP bit in pthread_mutexattr_gettype (BZ #15790)
      Fix failure of elf/tst-audit2 when compiled with GCC-5
      Fix read past end of pattern in fnmatch (bug 18032)
      Fix parallel build error
      Don't define __CORRECT_ISO_CPP_STRING_H_PROTO for non-GCC compilers (bug 17631)
      m68k: fix 64-bit arithmetic in atomic operations (bug 18128)
      aarch64: Increase MINSIGSTKSZ and SIGSTKSZ (bug 16850)
      Separate internal state between getXXent and getXXbyYY NSS calls (bug 18007)
      Simplify handling of nameserver configuration in resolver
      Record TTL also for DNS PTR queries (bug 18513)
      Fix buffer overflow for writes to memory buffer stream (bug 18549)
      Update NEWS
      m68k: update libm test ULPs
      Fix spurious conform test failures
      Properly terminate FDE in makecontext for ix86 (bug 18635)

Andrew Senkevich (29):
      This is the beginning of series of patches with addition
      Refactoring of START for conditions in individual tests
      Last part of changes regarding to libm-test.inc: addition
      This patch adds infrastructure for addition of SIMD
      This is update for configure, build and install of vector math library.
      Localplt testing for vector math library and libmvec_hidden_* macro series.
      This patch adds detection of availability for AVX512F and AVX512DQ ISAs.
      Start of series of patches with x86_64 vector math functions.
      Addition of testing infrastructure for vector math functions.
      Vector cosf for x86_64.
      This patch adds vector cosf tests.
      More strict check of AVX512 support in assembler.
      Vector sin for x86_64 and tests.
      Vector sinf for x86_64 and tests.
      Vector log for x86_64 and tests.
      Vector logf for x86_64 and tests.
      Vector exp for x86_64 and tests.
      Vector expf for x86_64 and tests.
      Vector pow for x86_64 and tests.
      Vector powf for x86_64 and tests.
      Vector sincos for x86_64 and tests.
      Vector sincosf for x86_64 and tests.
      Fixed powerpc64 build.
      Combination of data tables for x86_64 vector functions sin, cos and sincos.
      Combination of data tables for x86_64 vector functions sinf, cosf and sincosf.
      More correct description of linking with vector math library.
      Fixed several libmvec bugs found during testing on KNL hardware.
      Added runtime check for AVX vector math tests.
      Prevent runtime fail of SSE vector math tests on non SSE4.1 machine.

Andriy Rysin (1):
      Fix sorting order for Ukrainian locale (BZ 17293)

Arjun Shankar (4):
      CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
      Ensure `wint_t' is defined before use in include/stdio.h
      Modify elf/tst-audit9.c to use test-skeleton.c
      Modify several tests to use test-skeleton.c

Aurelien Jarno (1):
      Fix ldconfig segmentation fault with corrupted cache (Bug 18093).

Benno Schulenberg (1):
      sprof: Make an error message identical to two others, and more accurate.

Brad Hubbard (1):
      Use calloc to allocate xports (BZ #17542)

Carlos O'Donell (15):
      Open development for 2.22.
      Fix missing ChangeLog attribution.
      NEWS: Fix spelling.
      Use alignment macros, pagesize and powerof2.
      hppa: Update libm-test-ulps.
      hppa: Fix feupdateenv and fesetexceptflag (Bug 18111).
      Enhance nscd's inotify support (Bug 14906).
      Bug 18125: Call exit after last linked context.
      Fail locale installation if localedef fails.
      Add sprintf benchmark.
      Fix ruserok scalability with large ~/.rhosts file.
      Add missing Advanced API (RFC3542) (1) defines.
      Regenerate libc.pot for 2.22 release.
      Updated translations for 2.22.
      Update version.h and include/features.h for 2.22 release

Chris Metcalf (8):
      linux-generic: add a README
      tile: Enable PI_STATIC_AND_HIDDEN
      tile: use better variable naming in INLINE_SYSCALL
      math/test-fenvinline: avoid compiler warning
      tile: Regenerate ULPs.
      tst-leaks: raise timeout to 5 seconds
      tile: Fix BZ #18508 (makecontext yield infinite backtrace)
      tilepro: fix warnings in sysdeps/tile/tilepro/bits/atomic.h

Christian Schmidt (1):
      Update currency_symbol in da_DK

Chung-Lin Tang (5):
      Adjust timeouts for some tests, to accommodate slow processors,
      Fix order of arguments to rt_sigprocmask syscall when setting the signal mask
      Update Nios II ulps file.
      Add #include <string.h> to nptl/tst-join7mod.c to silence GCC warnings.
      Fixes extern protected data handling testcases elf/tst-protected1a

Cong Wang (1):
      in.h: Coordinate in6_pktinfo and ip6_mtuinfo for kernel and glibc [BZ #15850]

Cyril Hrubis (1):
      Set errno to ENOMEM on overflow in sbrk (bug 18592)

Daniel Marjamäki (1):
      Add __nonnull attribute to wcscpy and wcsncpy [BZ#18265]

David S. Miller (7):
      Update SPARC ulps.
      Rebuilt fresh sparc ULPS to get rid of removed tests.
      Convert sparc over to lowlevellock-futex.h
      Sparc memchr/memcmp/strncmp fixes from Il'ya Malakhov.
      Update sparc localplt.data
      Fix sparc build.
      Regenerate SPARC ULPs.

Dmitry V. Levin (3):
      Prepare for restoration of .interp section in libpthread.so
      _res_hconf_reorder_addrs: fix typo in comment
      Fix potential hanging of gethostbyaddr_r/gethostbyname_r

Eric Rannaud (1):
      linux: open and openat ignore 'mode' with O_TMPFILE in flags

Evangelos Foutras (1):
      Fix __memcpy_chk on non-SSE2 CPUs

Feng Gao (1):
      Use "|" instead of "+" when combine the _IO_LINE_BUF and _IO_UNBUFFERED flags

Florian Weimer (32):
      NEWS: Also mention CVE-2015-1473
      _nss_nis_initgroups_dyn: Return status instead of NSS_STATUS_SUCCESS
      vfprintf: Introduce THOUSANDS_SEP_T
      vfprintf: Introduce JUMP_TABLE_BASE_LABEL
      vfprintf: Define WORK_BUFFER_SIZE
      Avoid SIGFPE in wordexp [BZ #18100]
      pthread_setaffinity (Linux variant): Rewrite to use VLA instead of alloca
      Define libc_max_align_t for internal use
      Add struct scratch_buffer and its internal helper functions
      scratch_buffer_grow_preserve: Add missing #include <string.h>
      pldd: Use struct scratch_buffer instead of extend_alloca
      grp: Rewrite to use struct scratch_buffer instead of extend_alloca
      _nss_compat_initgroups_dyn: Use struct scratch_buffer instead of extend_alloca
      getnameinfo: Use struct scratch_buffer instead of extend_alloca
      nscd_getgr_r: Use struct scratch_buffer instead of extend_alloca
      scratch_buffer: Suppress truncation warning on 32-bit
      Do not build with -Winline
      Make time zone file parser more robust [BZ #17715]
      posix_fallocate, posix_fallocate64 stub: Do not set errno
      test-skeleton: Support temporary files without memory leaks [BZ#18333]
      CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
      NEWS: BZ#18319 was fixed in commit ed159672eb3cd650a32b7e5cb4d5ec1fe0e63802
      i386: Remove fallocate, fallocate64, posix_fallocate, posix_fallocate64
      __ASSUME_FALLOCATE is always true on 32-bit architectures
      vfprintf: Move jump table definition and the macros out of function
      vfprintf: Introduce printf_positional function
      vfprintf: Remove label name switching for the jump table
      Avoid some aliasing violations in libio
      Fix indentation to match nesting in previous commit
      posix_fallocate: Emulation fixes and documentation [BZ #15661]
      Commit 7fe9e2e089f4990b7d18d0798f591ab276b15f2b fixes [BZ# 17322]
      pthread_key_create: Fix typo in comment

Gleb Fotengauer-Malinovskiy (1):
      nptl: restore .interp section in libpthread.so

H.J. Lu (23):
      Compile gcrt1.o with -fPIC
      Compile vismain with -fPIE and link with -pie
      Replace ELF_RTYPE_CLASS_NOCOPY with ELF_RTYPE_CLASS_COPY
      Replace __attribute__((visibility("protected")))
      Preserve bound registers in _dl_runtime_resolve
      Add ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA to x86
      Add a testcase for copy reloc against protected data
      Limit threads sharing L2 cache to 2 for SLM/KNL
      Check tzspec_len == 0 in __tzfile_read
      Remove a trailing `\' in make-syscalls.sh
      Don't issue an error if DT_PLTRELSZ is missing
      Make sure that calloc is called at least once
      Don't issue errors on GDB Python files
      Align TCB offset to the maximum alignment
      Support compilers defaulting to PIE
      Add a testcase for i386 LD_AUDIT
      Add and use sysdeps/i386/link-defines.sym
      Add la_symbind32 to x86-64 audit tests
      Improve bndmov encoding with zero displacement
      Replace %ld with %jd and cast to intmax_t
      Sort NEWS
      Add si_addr_bnd to _sigfault in x86 struct siginfo
      Extend local PLT reference check

Igor Zamyatin (1):
      Preserve bound registers for pointer pass/return

J William Piggott (1):
      [BZ #17969]

James Cowgill (1):
      [BZ #17930] MIPS: Define SHM_NORESERVE.

James Lemke (1):
      Fix for test "malloc_usable_size: expected 7 but got 11"

John David Anglin (2):
      hppa: fix __O_SYNC to match the kernel
      hppa: Fix feholdexcpt and fesetenv (Bug 18110).

Joseph Myers (162):
      soft-fp: Support floating-point extensions without quieting sNaNs.
      soft-fp: Refine FP_EX_DENORM handling for comparisons.
      soft-fp: Fix _FP_FMA when product is zero and third argument is finite (bug 17932).
      Remove sysdeps/mips soft-fp subdirectories.
      Fix sincos errno setting (bug 15467).
      Fix exp2 spurious underflows (bug 16560).
      Fix powerpc software sqrt (bug 17964).
      Fix powerpc software sqrtf (bug 17967).
      Fix dbl-64/wordsize-64 remquo (bug 17569).
      Fix MIPS __mips_isa_rev -Werror=undef build.
      Fix MIPS _COMPILING_NEWLIB -Werror=undef build.
      Fix MIPS _ABIO64 -Werror=undef build.
      Fix remquo spurious overflows (bug 17978).
      Fix sign of remquo zero remainder in round-downward mode (bug 17987).
      Refine documentation of libm exceptions goals.
      Fix posix_spawn getrlimit64 namespace (bug 17991).
      Fix search.h namespace (bug 17996).
      Fix atan / atan2 missing underflows (bug 15319).
      Fix scandir scandirat namespace (bug 17999).
      soft-fp: Adjust call to abort for kernel use.
      Fix x86/x86_64 scalb (qNaN, -Inf) (bug 16783).
      Fix ldbl-128ibm acoshl inaccuracy (bug 18019).
      Fix ldbl-128ibm asinhl inaccuracy (bug 18020).
      Fix ldbl-128ibm ilogbl near powers of 2 (bug 18029).
      Fix ldbl-128ibm logbl near powers of 2 (bug 18030).
      Fix asin missing underflows (bug 16351).
      Fix ldbl-128/ldbl-128ibm acosl inaccuracy (bug 18038, bug 18039).
      Avoid uninitialized warnings in Bessel functions.
      Avoid -Wno-write-strings for k_standard.c.
      Add comment to CSTR macro in k_standard.c.
      Fix ldbl-96, ldbl-128ibm atanhl inaccuracy (bug 18046, bug 18047).
      Correct __ASSUME_PRLIMIT64 for hppa/microblaze/sh (bug 17779).
      soft-fp: Condition sfp-machine.h include path on __KERNEL__.
      Fix /* in comment in previous commit.
      soft-fp: Support conditional zero-initialization in declarations.
      soft-fp: Use multiple-include guards.
      Add test for bug 18104.
      soft-fp: Add _FP_UNREACHABLE.
      soft-fp: Define and use _FP_STATIC_ASSERT.
      Make sem_timedwait use FUTEX_CLOCK_REALTIME (bug 18138).
      Note old commit as having resolved bug 11505.
      Add more tests of log2.
      Regenerate x86_64, x86 ulps from scratch.
      Add more tests of cosh, sinh.
      Add more tests of expm1.
      Add more tests of acos.
      Support six-argument syscalls from C for 32-bit x86, use generic lowlevellock-futex.h (bug 18138).
      Add more tests of asin.
      Remove unused macros from i386 lowlevellock.h.
      Add another test of asin.
      Add more tests of acosh, asinh and atanh.
      Fix dbl-64 atan in non-default rounding modes (bug 18197).
      Fix dbl-64 atan2 in non-default rounding modes (bug 18210, bug 18211).
      Add more tests of cabs.
      Add more tests of cbrt.
      Add more tests of atan.
      Add more tests of atanh.
      Add more tests of clog and clog10.
      Fix strtof decimal rounding close to half least subnormal (bug 18247).
      Fix ldbl-128 roundl for exponents in [31, 47] (bug 18346).
      Remove MIPS version of waitid.c.
      Add further tests of cosh and sinh.
      Add more tests of csqrt.
      Add more tests of erf, erfc.
      Add more tests of exp, exp10, exp2, expm1.
      Add more tests of log, log10, log1p, log2.
      Add more tests of lgamma.
      Add another test of pow.
      Add more tests of cos, sin, sincos.
      Add more tests of tan.
      Add more tests of tanh.
      Add more tests of tgamma.
      Add more tests of libm functions.
      Add further tests of libm functions.
      Add more tests of acosh, atanh, cos, csqrt, erfc, sin, sincos.
      Add more tests of csqrt, lgamma, log10, sinh.
      Fix mips16 __fpu_control static linking (bug 18397).
      Fix linknamespace test handling of architecture-specific st_other.
      Fix log1p missing underflows (bug 16339).
      Fix atanf spurious underflows (bug 18196).
      Fix erfcf spurious underflows (bug 18217).
      Fix lgammaf spurious underflows (bug 18220).
      Fix tanf spurious underflows (bug 18221).
      Fix atanhl missing underflows (bug 16352).
      Fix i386 atanhl spurious underflows (bug 18049).
      Fix ldbl-96 remquol (finite, Inf) (bug 18244).
      conformtest: clean up POSIX expectations for unistd.h.
      conformtest: correct POSIX expectations for locale.h.
      conformtest: use proper _POSIX_C_SOURCE value for POSIX.
      linknamespace: whitelist re_syntax_options.
      Fix sysdeps/ieee754/dbl-64/mpa.c for -Wuninitialized.
      Fix lgamma implementations for -Wuninitialized.
      Fix pathconf basename namespace (bug 18444).
      Restore _POSIX2_C_VERSION definition (bug 438).
      Fix ldbl-128 / ldbl-128ibm asinl for -Wuninitialized.
      Fix ldbl-128 / ldbl-128ibm erfcl for -Wuninitialized
      Fix ldbl-128 / ldbl-128ibm tanl for -Wuninitialized.
      Fix soft-fp fma for -Wuninitialized.
      Fix fnmatch towlower namespace (bug 18469).
      Use libc_hidden_proto / libc_hidden_def with __strnlen.
      Use better variable names in MIPS syscall macros.
      Fix fnmatch wmemchr namespace (bug 18468).
      Fix fnmatch strnlen namespace (bug 18470).
      Fix regex wctype namespace (bug 18495).
      Fix psignal, psiginfo declaration conditions (bug 18483).
      Fix regex wcrtomb namespace (bug 18496).
      Fix open_memstream namespace (bug 18498).
      Say "C++ tests" in comment on __open_memstream declaration.
      Fix pathconf statvfs namespace (bug 18507).
      Fix regcomp wcscoll, wcscmp namespace (bug 18497).
      Fix h_errno namespace (bug 18520).
      Fix ecvt_r, fcvt_r namespace (bug 18522).
      Fix aio_* pread namespace (bug 18519).
      Fix getlogin_r namespace (bug 18527).
      Fix grp.h endgrent, getgrent namespace (bug 18528).
      Fix netdb.h addrinfo namespace (bug 18529).
      Fix syslog fputs_unlocked namespace (bug 18530).
      Fix linknamespace expectations for in6addr_any, in6addr_loopback.
      Fix gethostbyaddr in6addr_any, in6addr_loopback namespace (bug 18532).
      Fix vsyslog namespace (bug 18533).
      Fix syslog dprintf namespace (bug 18534).
      Fix sem_* tdelete, tfind, tsearch, twalk namespace (bug 18536).
      Fix fmtmsg addseverity namespace (bug 18539).
      Fix getpass fflush_unlocked namespace (bug 18540).
      Fix swscanf vswscanf namespace (bug 18542).
      Fix mq_notify pthread_barrier_* namespace (bug 18544).
      Create hidden aliases for non-libc syscalls automatically.
      Fix mq_receive, mq_send mq_timed* namespace (bug 18545).
      Fix mq_notify socket, recv namespace (bug 18546).
      Fix ttyslot namespace (bug 18547).
      Fix nice getpriority, setpriority namespace (bug 18553).
      Remove ldbl-128ibm variants of complex math functions.
      Fix netinet/in.h MCAST_* namespace (bug 18558).
      Remove stray spurious-underflow markings from cexp test.
      Remove include/bits/ipc.h.
      Fix asinh missing underflows (bug 16350).
      conformtest: Support xfail markers on individual assertions.
      conformtest: Fix pselect expectations.
      Fix x86 / x86_64 expl, exp10l missing underflows (bug 16361).
      Correct ChangeLog syntax for conditional change within function.
      Fix x86_64 / x86 expm1l (-min_subnorm) result sign (bug 18569).
      Fix expm1 missing underflows (bug 16353).
      Fix exp2, exp2f spurious underflows (bug 18219).
      Fix csqrt spurious underflows (bug 18371).
      Fix math/Makefile dependency on libm-test.stmp for libmvec tests.
      Fix spurious "inexact" exceptions from __kernel_standard_l (bug 18245, bug 18583).
      Fix sin, sincos missing underflows (bug 16526, bug 16538).
      Fix ldbl-128 expl missing underflows (bug 18586).
      Fix csin, csinh overflow in directed rounding modes (bug 18593).
      Move csin, csinh tests to auto-libm-test-in.
      Fix cexp, ccos, ccosh, csin, csinh spurious underflows (bug 18594).
      Refactor libm tests.
      Use round-to-nearest internally in jn, test with ALL_RM_TEST (bug 18602).
      Update headers for Linux 4.0, 4.1 definitions.
      Fix j1, jn missing underflows (bug 16559).
      Fix ldbl-128 j1l spurious underflows (bug 18612).
      Improve tgamma accuracy (bug 18613).
      Regenerate MIPS libm-test-ulps.
      Regenerate ARM libm-test-ulps.
      Regenerate powerpc-nofpu libm-test-ulps.
      Fix ldbl-128 expm1l (-min_subnorm) result sign (bug 18619).
      Mark bug 2981 (elf/tst-audit* fail on MIPS) as fixed.

Kevin Easton (1):
      Reduce lock contention in __tz_convert() [BZ #16145] (partial fix)

Khem Raj (2):
      Reflect renaming of bh_IN and tu_IN in SUPPORTED file [BZ #17475]
      locale: Do not define lang_ab for tcy_IN and bhb_IN

Leonhard Holz (6):
      Remove unused definitions
      Improve strcoll with strdiff.
      Split locale generation snippet into a separate file
      Add strcoll benchmark
      remove now unused idxnow in strcoll
      remove unnecessary memset in strcoll

Mark Wielaard (2):
      elf.h SHF_EXCLUDE signed int 31 bit shift triggers undefined behaviour.
      elf.h: Add section compression constants and structures.

Marko Myllynen (4):
      Fix bo_CN and bo_IN.
      Fix monetary.h comment
      Remove unused PREDEFINED_CLASSES code
      locale: Remove obsolete repertoire map references

Martin Galvan (2):
      NPTL: swap comments for THREAD_SETMEM and THREAD_SETMEM_NC for i386 and x86_64
      NPTL: Remove duplicate definition of PTHREAD_ADAPTIVE_MUTEX_INITIALIZER_NP

Martin Sebor (4):
      powerpc: setcontext.S uses power6 mtfsf when not supported [BZ #18116]
      Attempting to install glibc configured with --prefix=/usr into
      The C++ 2011 std::call_once function is specified to allow
      The patch committed to fix bug #18435 caused regressions on aarch64

Matthew Fortune (2):
      ia64: remove fixed page size macros and others [BZ #17792]
      Add support for DT_MIPS_RLD_MAP_REL.

Mel Gorman (2):
      malloc: Consistently apply trim_threshold to all heaps [BZ #17195]
      malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE [BZ #18502]

Mike Frysinger (27):
      ia64: drop custom getpagesize
      hppa: fix build failure with RTLD_PRIVATE_ERRNO
      add changelog for previous commit
      alloca: fix buf interaction
      manual: drop strerror C89 compatibility note
      hppa: update __O_SYNC fix with [BZ #18068]
      pwd.h: add __nonnull markings [BZ #18641]
      nscd: drop selinux/flask.h include
      tst-tzset: raise timeout to 5 seconds
      hppa/ia64: _dl_symbol_address: add PLT bypass for rtld
      hppa/ia64: _dl_unmap: make it hidden
      sparc: fix sigaction for 32bit builds [BZ #18694]
      ia64: siginfo.h: delete siginfo name
      ia64: sifaction.h: change sa_flags to an int
      ia64: stat.h: rename pad0 to __glibc_reserved0
      ia64: msg.h: fix msg_qnum/msg_qbytes types
      ia64: sigaction.h: fix sa_flags ordering
      conform/linknamespace: whitelist matherrf/matherrl
      pwd.h: revert __nonnull markings on putpwent [BZ #18641]
      ia64: clean up old kernel headers cruft
      ia64: atomic.h: fix atomic_exchange_and_add 64bit handling
      ia64: drop __tls_get_addr from expected ld.so plt usage
      hppa: rewrite INLINE_SYSCALL
      hppa: fix sysdep.h header setup
      hppa: sigaction.h: change sa_flags to an int
      hppa: fix pthreadtypes.h namespace failures
      hppa: add bz entry for pthreadtypes.h fix

Miroslav Lichvar (1):
      Update timex.h for ADJ_SETOFFSET.

Nathan Lynch (1):
      ARM: VDSO support

Ondřej Bílka (2):
      Handle mblen return code when n is zero.
      Use strspn/strcspn/strpbrk ifunc in internal calls.

Paul Eggert (6):
      Add ersatz _Static_assert on older C hosts
      * manual/time.texi (TZ Variable): glibc no longer comes with tzdata.
      * stdlib/setenv.c (__add_to_environ):
      * stdlib/setenv.c (__add_to_environ): Revert previous change.
      Better fix for setenv (..., NULL, ...)
      Remove obsolete aliases that broke 'locale -a'

Paul Pluzhnikov (13):
      Cleanup: add missing #include's
      Fix BZ #17269 -- _IO_wstr_overflow integer overflow
      Fix BZ #17916 - fopen unbounded stack usage for ccs= modes
      Fix minor formatting violation.
      Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch
      Fix BZ #18043: buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
      Cleanup: in preparation for fixing BZ #16734, fix memory leaks exposed by
      Refactor wordexp-test.c such that words always ends at the edge of
      Fix off-by-one which caused BZ #18042 and add a test for it.
      Mention BZ #18042 in NEWS.
      Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
      Minor refactoring:
      Fix BZ #18043 comment # 19: don't call undefined setenv(..., NULL, 1).

Pavel Kopyl (1):
      Add forced deletion support to _dl_close_worker

Pravin Satpute (1):
      Correcting language code for Bhili and Tulu locales (bug 17475)

Rajalakshmi Srinivasaraghavan (2):
      powerpc: POWER7 strncpy optimization for unaligned string
      powerpc: strstr optimization

Rical Jasan (1):
      manual: complete example in error message documentation

Richard Henderson (5):
      alpha: Unconditionally include dl-sysdep.h in sysdep.h
      alpha: Update libm-test-ulps
      math/test-fenvinline: Cast fe_exc to unsigned int before printing
      alpha: Update libm-test-ulps
      soft-fp: Fix alpha kernel build problem

Roland McGrath (97):
      Clean up sysdep-dl-routines variable.
      Exclude rpcent functions and NSS backends for rpc, key when excluding sunrpc.
      x86: Clean up __vdso_clock_gettime variable.
      Clean up NPTL fork to be compat-only.
      Clean up NPTL longjmp to be compat-only.
      Clean up NPTL system to be compat-only.
      Clean up nptl/tst-join5 use of nanosleep.
      Fix nptl/tst-kill5 not to presume SIGRTMAX exists.
      Fix dirent/tst-fdopendir not to presume O_NOATIME exists.
      Fix libio/tst-atime not to presume ST_NOATIME exists.
      Move tst-getlogin to login/ subdirectory.
      Do not use SA_NOCLDWAIT in tst-pselect.
      Conditionalize some tests' use of SA_SIGINFO.
      Use signal rather than sigaction in nptl/tst-cleanup2.
      NPTL: Build tests using clone directly only for Linux.
      Don't set unused field in rt/tst-timer2.
      Conditionalize use of SIGRTMIN in nptl/tst-locale1.c.
      NPTL: Conditionalize some sanity tests for SIGCANCEL/SIGSETXID.
      ARM: Add missing sfi_breg in LDR_GLOBAL macro.
      Clean up math/test-snan.
      Pointless update in README.
      Another pointless update in README.
      Support after-link variable to run a final step on binaries.
      Use -Werror=undef for assembly code.
      NPTL: Initializer for .init_array-only configurations.
      Add placeholder c++-types.data and *.abilist files.
      Don't crash in iconv setup when getcwd fails.
      Convert tst-iconv5 to use test-skeleton.
      Convert tst-iconv3 to use test-skeleton.
      Convert dlfcn/tststatic2 to use test-skeleton.
      Deglobalize internal variables in timer_routines.c.
      Avoid C++ tests when the C++ cannot be linked.
      Avoid more C++ tests.
      Conditionalize some test code for SIGRTMIN, SA_SIGINFO.
      Split rpcent tests out of tst-netdb.
      Define ETH_ALEN in generic <netinet/if_ether.h>.
      Avoid re-exec-self in bug-setlocale1.
      ChangeLog format
      Document test-wrapper-env-only in INSTALL.
      Harmonize posix/regcomp.c with gnulib: comment formatting
      Let tests result in UNSUPPORTED; use that for unbuildable C++ cases
      ARM: Rewrite sysdeps/arm/tls-macros.h
      ARM: Fix memcpy & memmove for [ARM_ALWAYS_BX]
      Minor cleanups in libio/iofdopen.c
      Convert dlfcn/tststatic to use test-skeleton.
      Make test-skeleton.c grok TEST_DIRECT magic environment variable.
      Let non-add-on preconfigure scripts set libc_config_ok.
      Omit libc-modules.h for all .v.i files.
      Add arm-nacl port.
      Fuller check for invalid NSID in _dl_open.
      Avoid confusing compiler with dynamically impossible statically invalid dereference in _dl_close_worker.
      ARM: Define PI_STATIC_AND_HIDDEN.
      NaCl: Make __suseconds_t be long int rather than int32_t.
      NaCl: Fix symbol names for euidaccess.
      NaCl: Change clock_t to long int.
      NaCl: Fix elf_loader file name in nacl-test-wrapper.sh
      BZ#18383: Add test case for large alignment in TLS blocks.
      NaCl: Implement gethostname.
      NaCl: Provide non-default values for uname.
      Add a test case for scandir.
      Break __scandir_cancel_handler out into its own file.
      Refactor scandir/scandirat to use common tail.
      Nit fixes in last change.
      NaCl: Make fdopendir skip fcntl check.
      Refactor opendir.
      BZ#18434: Fix sem_post EOVERFLOW check for [!__HAVE_64B_ATOMICS].
      BZ#18434: Mark fixed in NEWS.
      Move usleep.c using nanosleep to sysdeps/posix.
      NaCl: Set tid field to a unique value.
      Fix nptl-init.c use of INTERNAL_SYSCALL_DECL.
      Split timed-wait functions out of nptl/lowlevellock.c.
      NaCl: Add NaCl-specific __lll_timedlock_wait.
      NaCl: Fix thinko in last change.
      NaCl: Fix lll_futex_timed_wait timeout calculation.
      NaCl: Make thread exit wake pthread_join.
      Fix setenv.c diagnostic pragma to be compatible with GCC 4.6
      BZ#18383: Another test case, with TLS refs and defs in separate TUs.
      NaCl: Implement nacl_interface_ext_supply entry point.
      Line-wrap some log entries.
      Print more information in tst-getcpu failure case.
      NaCl: Fix glob.c build after getlogin_r -> __getlogin_r.
      Use unsigned types for counters in AIO code.
      Use unsigned types for counters in getaddrinfo_a code.
      NPTL: Use unsigned type for setxid_futex.
      Install a dummy <rpc/netdb.h> when not building sunrpc/.
      Fix some places to use $(LN_S) makefile variable.
      BZ#18383: Conditionalize test-xfail-tst-tlsalign{,-static} on ARM assembler bug.
      PLT avoidance for _exit in rtld.
      Provide __libc_fatal for rtld.
      NaCl: Make pthread_condattr_setclock reject CLOCK_MONOTONIC.
      Factor file identity rules out of generic rtld code.
      Add abilist files and NEWS item for arm-nacl port.
      NaCl: Use only nacl_irt_dev_filename, never nacl_irt_filename.
      NaCl: Fix missing getdtablesize symbol.
      Add SIGWINCH to generic <bits/signum.h>.
      Make sysdeps/posix bring in login subdir.
      NaCl: Remove bogus O_SHLOCK, O_EXLOCK definitions.

Rüdiger Sonderfeld (1):
      Document tv_sec is of type time_t:

Samuel Thibault (28):
      hurd: fix build with pthread aio
      hurd: fix f?chflags prototypes, declare them and their flags
      hurd: allow poll() array bigger than FD_SETSIZE
      hurd: map nice levels 1-to-1 with Mach prio levels
      hurdselect: Let select get interrupted by signals
      hurd: fix sigstate locking
      hurdselect: remove dead code.
      hurd: support mmap with PROT_NONE
      hurd: add basic types for ioctls
      hurd: fix compilation of signal.h in C++
      hurd: fix compilation of signal.h in C++
      hurd: Ignore bytes beyond sockaddr length for AF_UNIX
      hurd: fix tls.h build
      hurd: Fix abi-tag, following ba90e05
      Fix time/getdate.c build.
      add hurd/hurdsocket.h file missing from a5eb23d
      hurd: fix unwind-resume.c build
      hurd: fix unwind-resume.c build
      Add fixed bug numbers to NEWS
      Revert "hurd: Fix abi-tag, following ba90e05"
      Fix aio_error thread-safety.
      hurd: Make libc able to call pthread stubs
      Add missing dependency
      Fix warnings
      Fix visibility of EXTPROC macro
      Add more exception to local headers list
      mach: fix typo
      hurd: permit to use mlock from non-root process

Siddhesh Poyarekar (25):
      Consolidate arena_lookup and arena_lock into a single arena_get
      Skip logging for DNSSEC responses [BZ 14841]
      Fix up NEWS merge goof-up
      Update NEWS
      Minor changelog fixup
      Add *.pyc to .gitignore
      Add envz_remove to the libc manual
      Succeed if make check does not report any errors
      Avoid deadlock in malloc on backtrace (BZ #16159)
      Fix typo in safety annotations in envz_remove
      Fix monetary.h comment
      New module to import and process benchmark output
      benchtest: script to compare two benchmarks
      Avoid boolean coercion in tst-tls-atexit test case
      Remove unnecessary mutex locks from tst-tls-atexit test case
      Whitespace fix in tst-tls-atexit.c
      Fix up ChangeLog
      Fix up typo in tst-tls-atexit
      Set NODELETE flag when opening already open objects with RTLD_NODELETE
      Whitespace fixup in cxa_thread_atexit_impl.c
      Add comment to clarify how the test can fail
      Remove Linuxism from tst-tls-atexit
      Also use l_tls_dtor_count to decide on object unload (BZ #18657)
      Mention dl_load_lock by name in the comments
      Use IE model for static variables in libc.so, libpthread.so and rtld

Stefan Liebler (18):
      S390: Build failure due to nptl/pt-longjmp.c changes.
      s390: Use generic lowlevellock-futex.h
      S/390: Regenerate ULPs
      S/390: Fix setcontext/swapcontext which are not restoring sigmask.
      Update tst_mbrlen/tst_mbrtowc for mblen change
      Set errno for log1p on pole/domain error.
      Use correct signedness in wcsncmp
      S/390: Get cache information via sysconf
      S/390: Regenerate ULPs
      Adjust tst-strfmon1 after da_DK locale change.
      S/390: Regenerate ULPs
      Fix timezone tests run in parallel.
      Fix benchtests build failure after 'add benchmark for strcoll'
      S390: Fix sem.h conformance test failures.
      S390: Regenerate ULPs.
      S390: Fix "backtrace() returns infinitely deep stack frames with makecontext()" [BZ #18508].
      S390: Regenerate ULPs
      i686: Mark stdlib/tst-makecontext as XFAIL.

Steve Ellcey (6):
      2015-02-13  Steve Ellcey  <sellcey@imgtec.com>
      2015-02-17  Steve Ellcey  <sellcey@imgtec.com>
      2015-02-17  Steve Ellcey  <sellcey@imgtec.com>
      2015-02-18  Steve Ellcey  <sellcey@imgtec.com>
      * inet/rcmd.c (rresvport_af): Change ss to anonymous union
      * resolv/res_hconf.c (_res_hconf_reorder_addrs): Use a union to

Szabolcs Nagy (11):
      [AArch64] Fix the big endian loader name.
      [AArch64] Fix inline asm clobber list in tls-macros.h
      struct stat is not posix conform
      [BZ 18034][AArch64] Lazy TLSDESC relocation data race fix
      [AArch64] Fix cfi_adjust_cfa_offset usage in dl-tlsdesc.S
      Regenerate aarch64 libm-test-ulps
      [AArch64] make setcontext etc functions consistent with the kernel
      [AArch64][BZ 18400] fix elf_prpsinfo in procfs.h
      [AArch64][BZ 18648] change greg_t definition in ucontext.h
      [AArch64][BZ #17711] Fix extern protected data handling
      [ARM][BZ #17711] Fix extern protected data handling

Torvald Riegel (11):
      Make error checking effective in nptl/tst-cond25.c.
      ia64: Remove custom lowlevellock.h
      Fix lost wake-up when pthread_rwlock_timedrwlock times out.
      Fix missing wake-ups in pthread_rwlock_rdlock.
      Fix atomic_full_barrier on x86 and x86_64.
      Clean up BUSY_WAIT_NOP and atomic_delay.
      Remove documentation of lowlevellock systemtap probes.
      Do not create invalid pointers in C code of string functions.
      Add and use new glibc-internal futex API.
      Clean up semaphore EINTR handling after Linux futex docs clarification.
      hppa: Remove custom lowlevellock.h.

Tulio Magno Quites Machado Filho (2):
      BZ #18116: Mark fixed in NEWS.
      Avoid outputting to TTY after an expected memory corruption in testcase

Vincent Bernat (1):
      time: ensure failing strptime() tests are reported correctly

Wilco Dijkstra (14):
      Rather than using a C implementation of memset, directly call memset, which
      Rather than using a C implementation of memmove, directly call memmove, which
      Use __copysign rather than copysign.
      2015-05-06  Szabolcs Nagy  <szabolcs.nagy@arm.com>
      Remove various ABS macros and replace uses with fabs (or in one case abs)
      Add missing math_private includes.
      2015-05-28  Wilco Dijkstra  <wdijkstr@arm.com>
      2015-06-02  Szabolcs Nagy  <szabolcs.nagy@arm.com>
      This patch renames all uses of __isinf*, __isnan*, __finite* and __signbit* to use standard C99 macros. This has no effect on generated code.
      Replace finite with isfinite.
      Remove unused file sysdeps/ieee754/support.c
      Inline __ieee754_sqrt and __ieee754_sqrtf. Also add external definitions.
      Optimize the strlen implementation by using a page cross check and a fast check
      Add AArch64 versions of math_opt_barrier and math_force_eval that avoid going via memory.

Yaakov Selkowitz (1):
      manual: fix XPG basename prototype

Zack Weinberg (1):
      Deprecate the use of regexp.h

-----------------------------------------------------------------------
Comment 14 Sourceware Commits 2015-10-19 11:13:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.21/master has been updated
       via  e871e19b5f19d2e6595e911b0a5b1c19cda20cc7 (commit)
      from  f2cdbadd8a078482d3b9fc2b59e888c64cc4efae (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e871e19b5f19d2e6595e911b0a5b1c19cda20cc7

commit e871e19b5f19d2e6595e911b0a5b1c19cda20cc7
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    …
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    …
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.
    
    (cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55)
    
    Conflicts:
    	ChangeLog
    	NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |    8 +++
 NEWS                      |    7 ++-
 nss/Makefile              |    2 +-
 nss/nss_files/files-XXX.c |    2 +-
 nss/tst-nss-getpwent.c    |  118 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 134 insertions(+), 3 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c
Comment 15 Sourceware Commits 2015-10-19 11:23:06 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.19/master has been updated
       via  83e9e8b0464dcff36930b8bb53d04ac3b551b5a3 (commit)
      from  012adb33827608d3b78e3832a1948b468b549946 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=83e9e8b0464dcff36930b8bb53d04ac3b551b5a3

commit 83e9e8b0464dcff36930b8bb53d04ac3b551b5a3
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    …
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    …
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.
    
    (cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55)
    
    Conflicts:
    	ChangeLog
    	NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |    8 +++
 NEWS                      |    7 ++-
 nss/Makefile              |    2 +-
 nss/nss_files/files-XXX.c |    2 +-
 nss/tst-nss-getpwent.c    |  118 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 134 insertions(+), 3 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c
Comment 16 Sourceware Commits 2016-02-16 18:58:27 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, gentoo/2.21 has been updated
       via  6d0b7b443c9735672bb76d003c3f7263c5292d7d (commit)
      from  460e5da421067eb690ba3b9d11183c4b7db37e4f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6d0b7b443c9735672bb76d003c3f7263c5292d7d

commit 6d0b7b443c9735672bb76d003c3f7263c5292d7d
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    …
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    …
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.
    
    (cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55)
    
    Conflicts:
    	ChangeLog
    	NEWS
    
    (cherry picked from commit e871e19b5f19d2e6595e911b0a5b1c19cda20cc7)

-----------------------------------------------------------------------

Summary of changes:
 nss/Makefile              |    2 +-
 nss/nss_files/files-XXX.c |    2 +-
 nss/tst-nss-getpwent.c    |  118 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+), 2 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c