Your message dated Sun, 18 Jan 2026 14:38:44 +0000
with message-id <[email protected]>
and subject line Bug#932927: fixed in libotr 4.1.1-6.1
has caused the Debian Bug report #932927,
regarding libotr: buggy unit test: test_auth.c: test_auth_clear()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
932927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932927
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libotr
Version: 4.1.1-3
Severity: normal
Tags: patch upstream
User: [email protected]
Usertags: riscv64
I have been investigating while test_auth fails with a segmentation
fault on riscv64:
| aurel32@riscv64:~/libotr/libotr-4.1.1/tests/unit$ ./test_auth
| 1..5
| ok 1 - OTR auth info init is valid
| Segmentation fault
Here is the corresponding backtrace:
| #0 _gcry_mpi_free_limb_space (a=0x100f30003, nlimbs=1179403647) at
../../mpi/mpiutil.c:142
| #1 0x00000020000c531c in _gcry_mpi_free (a=0x2000000000) at
../../mpi/mpiutil.c:224
| #2 0x00000020000471e8 in otrl_dh_keypair_free (kp=kp@entry=0x3fffa95170) at
dh.c:89
| #3 0x000000200004adc4 in otrl_auth_clear (auth=0x3fffa95160) at auth.c:107
| #4 0x0000002aaaaab0f6 in test_auth_clear () at test_auth.c:70
| #5 0x0000002aaaaaaed2 in main (argc=<optimized out>, argv=<optimized out>)
at test_auth.c:176
It happens that test_auth_clear() uses for its test a struct context
allocated on the stack. As such its contents is random.
otrl_auth_clear() is called on this random data, which in turns call
otrl_dh_keypair_free() on this random data. The DH_keypair structure
contains 2 gcry_mpi_t fields, which are pointers. otrl_dh_keypair_free()
calls gcry_mpi_release() on those pointers, which ends up calling
_gcry_mpi_free_limb_space() to free the memory. Boom.
It seems this test only works by chance on other architectures as the
struct context in test_auth_new() and test_auth_clear() are at the same
location on the stack, and thus its contents is not random anymore when
entering test_auth_clear(). This seems to be confirmed by the last test
of this function: auth->context == &ctx. There is no way that
otrl_auth_clear() can set this value correctly, and it doesn't get
passed a pointer to ctx.
Therefore I believe that otrl_auth_new() should be called before
otrl_auth_clear(), like in the following patch:
--- a/tests/unit/test_auth.c
+++ b/tests/unit/test_auth.c
@@ -67,6 +67,7 @@
OtrlAuthInfo *auth = &ctx.auth;
/* API call. */
+ otrl_auth_new(&ctx);
otrl_auth_clear(auth);
ok(auth->authstate == OTRL_AUTHSTATE_NONE &&
Note that the issue can be easily reproduced on other architectures like
amd64 by making sure that ctx is random:
--- libotr-4.1.1.orig/tests/unit/test_auth.c
+++ libotr-4.1.1/tests/unit/test_auth.c
@@ -66,6 +66,11 @@ static void test_auth_clear(void)
struct context ctx;
OtrlAuthInfo *auth = &ctx.auth;
+ /* Initialize some fields to random values */
+ auth->our_dh.pub = (gcry_mpi_t) 0xc0ffee;
+ auth->our_dh.priv = (gcry_mpi_t) 0x0c0ffee;
+ auth->context = NULL;
+
/* API call. */
otrl_auth_clear(auth);
--- End Message ---
--- Begin Message ---
Source: libotr
Source-Version: 4.1.1-6.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libotr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated libotr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Jan 2026 21:09:28 +0200
Source: libotr
Architecture: source
Version: 4.1.1-6.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Privacy Tools Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 932927
Changes:
libotr (4.1.1-6.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Add patch from Aurelien Jarno to fix reading uninitialized data
in the tests. (Closes: #932927)
Checksums-Sha1:
ccd635338d24449353858124a0ccb8697ec4c9d2 2349 libotr_4.1.1-6.1.dsc
2e81dbf0fff843bf4a93ee307ed168e5c6169ab8 10588 libotr_4.1.1-6.1.debian.tar.xz
Checksums-Sha256:
6e4765716dea69d1f17ffbb1b51b6cb5c63ac2d32760f5f8c25188fe1382e8ba 2349
libotr_4.1.1-6.1.dsc
cf1556311b4b127d7b13766879a5c1fbd12f444bff89db621faec36340630f45 10588
libotr_4.1.1-6.1.debian.tar.xz
Files:
29521a10d5f96240705fe615784d9dec 2349 libs optional libotr_4.1.1-6.1.dsc
e9fa15a4be0db34572c6d17ea5b3bb07 10588 libs optional
libotr_4.1.1-6.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmlq5jUACgkQiNJCh6LY
mLFNpg/7B4nobRJKXUCvliyIqmRuJHtaHTD+8oDhdvK+SbuaA/gYNWu/yB+7rlEb
stPGia+JM7rVhBaCLrv48XtMWUmbqp6Qi1HP8oPfse0G9VFzmTvsfj3lEzfxrhFx
V9Imm3gnn1EENccVrz8MUlTdSMeotEJn2mGC0l+VE/x2aKsYAKk9XeVjOeE6X450
wab96be3NzUrhIuWXSK1uAYUtOvKnrqYkIJ56tBdh+njG37O91wV3KuQxlXSnzsh
Mm6yU3WqcYgwmP/VwpJb+e0s/nYH2zthE2sJsAlGKRveAxMqgzzIkRyk1QijsFUH
LbktCCp5iegJ0+SJ69G7ymnG4L2Khg1kWU+2O4BYI93JHk4aJvc2cDeeJ+sGyZe8
FYdF1xPMOKWxp6gYd/81wmqGSEIvR01ronx5TtLpv+5IdpJqdbBqQLcwpcXUB9c/
N5p9Jx8kIUVrqkd9EVToo8EXHaTWcC8B7bRbJvVBW+kw+eHlX659nlc5o4uZ3vjs
0p/vNB9TDvItycx5cYlUp+Ib23ndFilKG4wqAWy4XSseg/eHmAyUYDwN2Ss5LWid
xGSvv0aldpMEbgzX/IJNAXe8GDUxhh9mtRbp7KfrQ2L7718aPkgvm4wdsn65WHRd
AWC0XdMdvpIdNkGXfDWiQ9CoiRCuGoONLsfEP4UUvver67D06g8=
=nFqP
-----END PGP SIGNATURE-----
pgpIPRqpEbfqq.pgp
Description: PGP signature
--- End Message ---
