RHSA-2016:0176: glibc security and bug fix update

Description

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.A stack-based buffer overflow was found in the way the libresolv libraryperformed dual A/AAAA DNS queries. A remote attacker could create aspecially crafted DNS response which could cause libresolv to crash or,potentially, execute code with the permissions of the user running thelibrary. Note: this issue is only exposed when libresolv is called from thenss_dns NSS service module. (CVE-2015-7547)It was discovered that the calloc implementation in glibc could returnmemory areas which contain non-zero bytes. This could result in unexpectedapplication behavior such as hangs or crashes. (CVE-2015-5229)The CVE-2015-7547 issue was discovered by the Google Security Team and RedHat. Red Hat would like to thank Jeff Layton for reporting theCVE-2015-5229 issue.This update also fixes the following bugs:With this update, the M_TRIM_THRESHOLD method is extended to apply to allmemory pools, which improves performance for threads with very high amountsof free calls and limits the number of "madvise" system calls. The changealso increases the total transient memory usage by processes because thetrim threshold must be reached before memory can be freed.To return to the previous behavior, you can either set M_TRIM_THRESHOLDusing the "mallopt" function, or set the MALLOC_TRIM_THRESHOLD environmentvariable to 0. (BZ#1298930)All glibc users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues.