[Bug 1028038] Re: sscanf always calls realloc/causes deadlock in google-perftools

Adam Conrad adconrad at 0c3.net
Wed Nov 14 22:49:08 UTC 2012 

This bug was fixed in the package eglibc - 2.15-0ubuntu10.3

---------------
eglibc (2.15-0ubuntu10.3) precise; urgency=low

  * Backport fixes for dbl-64 and ldbl-128 issues (LP: #1000498)
  * Backport another FMA support patch from glibc master branch.

eglibc (2.15-0ubuntu10.2) precise-security; urgency=low

  * SECURITY UPDATE: stack buffer overflow in vfprintf handling
    (LP: #1031301)
    - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
      array grows too large to handle via alloca extension
    - CVE-2012-3406
  * SECURITY UPDATE: stdlib strtod integer/buffer overflows
    - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
      and modify types to void integer overflows
    - CVE-2012-3480

eglibc (2.15-0ubuntu10.1) precise; urgency=low

  * Backport fix from 2.16 to fix htons() conversion errors on non-x86
    architectures, by correctly casting to uint16_t (LP: #1016349)
  * Restore missing AT_EMPTY_PATH definition in fnctl.h (LP: #1010069)
  * Backport FMA4/AVX detection from glibc 2.16 (LP: #956051, #979003)
  * Backport fixups to AVX-using code to match the detection backport.
  * Backport fix from 2.16 for sscanf/realloc deadlock (LP: #1028038)
  * Backport for bogus FPE on underflow for exp(double) (LP: #1007457)
 -- Adam Conrad <adconrad at ubuntu.com> Wed, 03 Oct 2012 15:58:02 -0600


** Changed in: eglibc (Ubuntu Precise)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3406

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3480

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1028038

Title:
  sscanf always calls realloc/causes deadlock in google-perftools

Status in “eglibc” package in Ubuntu:
  Fix Released
Status in “eglibc” source package in Precise:
  Fix Released

Bug description:
  SRU Justification:

  [Impact]
  When using google-perftools eglibc causes a deadlock.

  [Development Fix]
  This is fixed in quantal.

  [Stable Fix]
  A fix can be backported from quantal into precise.

  [Test Case]
  Run google-perftools.

  [Regression Potential]
  Patch introduces changes in stdio-common/vfscanf.c.

  --

  This is currently causing a deadlock in the google-perftools testing.

  The fix has been committed to glibc 2.16 - http://cygwin.com/ml/libc-
  alpha/2012-01/msg00026.html

  It would be great if either glibc could be upgraded to 2.16 or this
  patch applied to the version in quantal.

  I have verified locally that this resolves the deadlock issue in
  google-perftools.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: libc6 2.15-0ubuntu15
  ProcVersionSignature: Ubuntu 3.5.0-5.5-generic 3.5.0-rc7
  Uname: Linux 3.5.0-5-generic x86_64
  ApportVersion: 2.4-0ubuntu5
  Architecture: amd64
  Date: Mon Jul 23 17:33:24 2012
  SourcePackage: eglibc
  UpgradeStatus: Upgraded to quantal on 2012-06-11 (42 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1028038/+subscriptions

More information about the foundations-bugs mailing list