Package: libstring-compare-constanttime-perl Version: 0.321-3 Severity: important X-Debbugs-Cc: [email protected]
Dear Maintainer, I noticed on Trixie that my code using String::Compare::ConstantTime would randomly crash. In debugging it, I isolated the problem to the patch included in Debian for CVE-2024-13939 seen here: https://sources.debian.org/patches/libstring-compare-constanttime-perl/0.321-3/ The patch constructs a memory address from two different pointers, which, if the high bits of one pointer does not match the high bits of the other pointer, points to a random memory location. Reading from that location causes a segfault: + unsigned char *s; + unsigned char r; + uintptr_t mask; + + /* Orchestrate a dummy compare which never matches and whose run-time does + * not stand out if a_len != b_len */ + r = (a_len != b_len); + /* Branching-less: s = (r) ? b : a */ + mask = 0u - r; + s = (unsigned char *)(((uintptr_t)b & mask) | ((uintptr_t)a & ~mask)); + + for (i = 0; i < b_len; i++) { + r |= *s++ ^ *b++; } For more details and a reproducer, see: https://github.com/hoytech/String-Compare-ConstantTime/pull/21/#pullrequestreview-4345646603 Thanks, -- Matthew Horsfall (alh) -- System Information: Debian Release: 13.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.16.3+deb13-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages libstring-compare-constanttime-perl depends on: ii libc6 2.41-12+deb13u3 ii perl 5.40.1-6 ii perl-base [perlapi-5.40.1] 5.40.1-6 libstring-compare-constanttime-perl recommends no packages. libstring-compare-constanttime-perl suggests no packages. -- no debconf information
