Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 3762

Summary: nscd receives SIGSEGV for certain domain lookups
Product: [Retired] Red Hat Linux Reporter: James Ralston <ralston>
Component: glibcAssignee: Cristian Gafton <gafton>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-07-28 05:34:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description James Ralston 1999-06-27 20:37:29 UTC
[Note: this report is *not* really about bind, but the
Bugzilla system forced me to choose a component, and nscd
wasn't on the list.]

For the nscd-2.1.1-6 rpm, certain domain lookups
consistently crash the nscd daemon with SIGSEGV.

As of the time of this submission, a good demonstration of
this is to ensure nscd is running, and then point a web
browser at, which currently resolves as

$ host -a
rcode = 0 (Success), ancount=23
The following answer is not authoritative:    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A
For authoritative answers, see:        37247 IN        NS        37247 IN        NS        37247 IN        NS
Additional information:      52407 IN        A

Here are my running nscd processes:

$ ps fax
 1099 ?        S      0:00 nscd
 1102 ?        S      0:00  \_ nscd
 1103 ?        S      0:00      \_ nscd
 1104 ?        S      0:00      \_ nscd
 1105 ?        S      0:00      \_ nscd
 1106 ?        S      0:00      \_ nscd
 1107 ?        S      0:00      \_ nscd

Now, use strace to watch the parent nscd process (1099, in
this example) as one points a web browser to

SYS_168(0xbffffcec, 0x1, 0x3a98, 0x3a98, 0xbffffcec) = 1
accept(0, 0, NULL)                      = ? ERESTARTSYS (To
be restarted)
--- SIGSEGV (Segmentation fault) ---

So far, this is the only domain I've encountered that
crashes nscd, but the fact that this looks a lot like a
buffer overflow problem gives me very queasy feelings about
running nscd.  I have not yet looked at the source, but if
this indeed is a buffer overflow problem, then it *might* be
possible for a clever person to stack-smash nscd (which
normally runs as root) and eventually gain root privileges.

BTW, I run nscd using the default /etc/nscd.conf that comes
with nscd-2.1.1-6; I have not made any modifications.

Comment 1 Jeff Johnson 1999-06-27 21:04:59 UTC
I'm changing the component to glibc because that's the name of the
src.rpm from which the nscd package comes ...

Comment 2 Jeff Johnson 1999-06-27 21:08:59 UTC
You might also look at #3171 which is also nscd related. There
is a fix for that problem that will be in the next glibc errata

Comment 3 James Ralston 1999-07-13 22:09:59 UTC
Ok, I will wait for the next glibc errata release to show up on, and test it out then.

Comment 4 James Ralston 1999-07-21 21:03:59 UTC
Ok, I've grabbed glibc-2.1.2-1 and glibc-devel-2.1.2-1 from rawhide.
So far, so good; I haven't been able to get nscd to crash.  I'll
report back after a few days of regular use.

Comment 5 James Ralston 1999-07-27 19:26:59 UTC
I wasn't able to get nscd to crash even once with glibc-2.1.2-1.  As
far as I'm concerned, the problem is corrected; I'll wait for
glibc-2.1.2-1 to be released for Red Hat 6.0 before installing it on
my production machines.

Comment 6 Cristian Gafton 1999-07-28 05:34:59 UTC
Fixed in glibc-2.1.2-1 and later, available from rawhide.