glibc-2.33

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

Version 2.33

Major new features:

• The dynamic linker accepts the --list-tunables argument which prints all the supported tunables. This option is disable if glibc is configured with tunables disabled (--enable-tunables=no).

• The dynamic linker accepts the --argv0 argument and provides opportunity to change argv[0] string.

• The dynamic linker loads optimized implementations of shared objects from subdirectories under the glibc-hwcaps directory on the library search path if the system's capabilities meet the requirements for that subdirectory. Initially supported subdirectories include "power9" and "power10" for the powerpc64le-linux-gnu architecture, "z13", "z14", "z15" for s390x-linux-gnu, and "x86-64-v2", "x86-64-v3", "x86-64-v4" for x86_64-linux-gnu. In the x86_64-linux-gnu case, the subdirectory names correspond to the vendor-independent x86-64 microarchitecture levels defined in the x86-64 psABI supplement.

• The new --help option of the dynamic linker provides usage and information and library search path diagnostics.

• The mallinfo2 function is added to report statistics as per mallinfo, but with larger field widths to accurately report values that are larger than fit in an integer.

• Add <sys/platform/x86.h> to provide query macros for x86 CPU features.

• Support for the RISC-V ISA running on Linux has been expanded to run on 32-bit hardware. This is supported for the following ISA and ABI pairs:

• rv32imac ilp32
• rv32imafdc ilp32
• rv32imafdc ilp32d

The 32-bit RISC-V port requires at least Linux 5.4, GCC 7.1 and binutils 2.28.

• A new fortification level _FORTIFY_SOURCE=3 is available. At this level, glibc may use additional checks that may have an additional performance overhead. At present these checks are available only on LLVM 9 and later. The latest GCC available at this time (10.2) does not support this level of fortification.

Deprecated and removed features, and other changes affecting compatibility:

• The mallinfo function is marked deprecated. Callers should call mallinfo2 instead.

• When dlopen is used in statically linked programs, alternative library implementations from HWCAP subdirectories are no longer loaded. Instead, the default implementation is used.

• The deprecated <sys/vtimes.h> header and the function vtimes have been removed. To support old binaries, the vtimes function continues to exist as a compatibility symbol. Applications should use the getrlimit or prlimit.

• Following a change in the tzdata 2018a release upstream, the zdump program is now installed in the /usr/bin subdirectory. Previously, the /usr/sbin subdirectory was used.

• On s390(x), the type float_t is now derived from the macro FLT_EVAL_METHOD that is defined by the compiler, instead of being hardcoded to double. This does not affect the ABI of any libraries that are part of the GNU C Library, but may affect the ABI of other libraries that use this type in their interfaces. The new definition improves consistency with compiler behavior in many scenarios.

• A future version of glibc will stop loading shared objects from the "tls" subdirectories on the library search path, the subdirectory that corresponds to the AT_PLATFORM system name, and also stop employing the legacy AT_HWCAP search mechanism. Applications should switch to the new glibc-hwcaps mechanism instead; if they do not do that, only the baseline version (directly from the search path directory) will be loaded.

Changes to build and runtime requirements:

• On Linux, the system administrator needs to configure /dev/pts with the intended access modes for pseudo-terminals. glibc no longer attemps to adjust permissions of terminal devices. The previous glibc defaults ("tty" group, user read/write and group write) already corresponded to what most systems used, so that grantpt did not perform any adjustments.

• On Linux, the posix_openpt and getpt functions no longer attempt to use legacy (BSD) pseudo-terminals and assume that if /dev/ptmx exists (and pseudo-terminals are supported), a devpts file system is mounted on /dev/pts. Current systems already meet these requirements.

• s390x requires GCC 7.1 or newer. See gcc Bug 98269.

Security related changes:

CVE-2021-3326: An assertion failure during conversion from the ISO-20220-JP-3 character set using the iconv function has been fixed. This assertion was triggered by certain valid inputs in which the converted output contains a combined sequence of two wide characters crossing a buffer boundary. Reported by Tavis Ormandy.

CVE-2020-27618: An infinite loop has been fixed in the iconv program when invoked with input containing redundant shift sequences in the IBM1364, IBM1371, IBM1388, IBM1390, or IBM1399 character sets.

CVE-2020-29562: An assertion failure has been fixed in the iconv function when invoked with UCS4 input containing an invalid character.

CVE-2019-25013: A buffer overflow has been fixed in the iconv function when invoked with EUC-KR input containing invalid multibyte input sequences.

[Bruce Dubbs]

Fixed at revision 12109.

[ken@…]

Belatedly flagging as High as a reminder to create a security advisory.

Of the CVEs noted, CVE-2019-25013 and CVE-2020-29562 are listed as Medium at NVD, CVE-2020-27618 not found at NVD ('reserved' at mitre), CVE-2021-3326 undergoing analysis at NVD.

I assume that for most, if not all, LFS and BLFS users these will not be overly relevant since the only safe way to update glibc is to build a new system (although pulling out the patches, rebuilding, and then rebooting with unclean shutdown has been used in the past).