doc/share/security/advisories/FreeBSD-EN-15:09.xlocale.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-15:09.xlocale                                        Errata Notice
                                                          The FreeBSD Project

Topic:          Inconsistency between locale and rune locale states

Category:       core
Module:         libc
Announced:      2015-06-30
Credits:        David Chisnall
Affects:        FreeBSD 9.x and FreeBSD 10.x.
Corrected:      2015-06-17 19:12:18 UTC (stable/10, 10.1-STABLE)
                2015-06-30 23:21:37 UTC (releng/10.1, 10.1-RELEASE-p14)
                2015-06-17 19:13:13 UTC (stable/9, 9.3-STABLE)
                2015-06-30 23:21:48 UTC (releng/9.3, 9.3-RELEASE-p18)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.

I.   Background

Recent FreeBSD releases have support to thread-safe and extended locale API,
modeled after the Darwin xlocale(3) API.

The C standard locale API was reimplemented as a wrapper of the xlocale(3)
API with a global locale in order to support its semantics.

II.  Problem Description

The locale and rune locale may become out of sync, in which case calls of
mb* and similar functions would be supplied with wrong data.

III. Impact

Applications that uses xlocale but does not call setlocale(3) would crash.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your present system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your present system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-15:09/xlocale.patch
# fetch https://security.FreeBSD.org/patches/EN-15:09/xlocale.patch.asc
# gpg --verify xlocale.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all deamons using the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/9/                                                         r284525
releng/9.3/                                                       r284986
stable/10/                                                        r284524
releng/10.1/                                                      r284985
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/188036>

The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:09.locale.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.5 (FreeBSD)

iQIcBAEBCgAGBQJVkyZQAAoJEO1n7NZdz2rnitMQAK5jY0n9Kv0VDwP5J4EXdcHZ
SOEE8n5O+bwWxVFWkqGGZrPQiUuJt6ujrAJb2iSeUtKIa2E84TLDVjmWGtyqP/RN
rLlRjVVQo14EhSScRI54oUeAYpoBWU8oRtFiixFbw24gFEW/ZeovFxQUY1Waueuy
Xpx28cmqQ3KG/T+Ujq1edHrtMpqwsBQd93eHRFSjtWaMrxmjnr4ln66AerdPQAYx
ib2rznxy+MCF0rmHbTsYnpZKZ1DupcyU7YkOdhVTk8cviL44wPGaCrA9Oaf6Q2hW
NTek9h5VQhvmhWaPsUZTGbQYPkvFjvEbmKOxRV+Mtf+UBt2y7SoqACpP1BbCC77n
8uRGdI8MPpC1j9RHZ5miWz4NkA3W1Pa/oi66PRhenzXgDe9Ua4aykklqnINhOrgm
ZBCLz1DXnx4WyeW2FIf7Z9GGcF3sUd9RU2e4H0WI3uZ75PT7p/zq1L4FKxXEn9/7
VoGy6cyQWwFUZ27lIcSGLeUhSolrtDofHPwKe8YB12bTXPhxjNYs+4iYWF0ZScOE
Wr9Jx7mKecNQ+jD5iEP2Ne7tzqSPSDZGzwkvifz+dmHT5L9hx6Pu916xp6/kzVg1
up31EcoQOn1N/ZHjC9VgGmyOgdA5ENHKNPhzcYp2CrJSadBHQHeINfwbRLdzLjVl
Nnt+YSShqakxvZhNmTex
=Wfyl
-----END PGP SIGNATURE-----