Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello release team, A memory leak was found in in libmagic's (src:file) loader of magic files, appearently independently by Shi Yin in PR/569[1] and Arnaud Quette in #840754[2]. This was fixed upstream in version 5.29 which is in testing and unstable (as 1:5.29-1), oldstable/wheezy doesn't seem to have this problem. For stable/jessie I'd like to handle this in the next point release. The actual fix is commit FILE5_28-42-g10ee4ec[3] where commit FILE5_24-31-g3aa35aa[4] is needed as a prerequisite. I've dropped a hunk from that fix which AFAICS is not relevant for Debian and would otherwise require the inclusion FILE5_25-3-gb0ccffd[5] as another prerequisite: According to its description, that third commit is needed on systems without mmap only. Find attached: * A debdiff for 1:5.22+15-2+deb8u3 * A commulative patch about the code changes to ease review. After applying the patch, the valgrind check as described in the BTS no longer reports leaks. Regards, Christoph [1] https://bugs.gw.com/view.php?id=569 [2] https://bugs.debian.org/840754 [3] https://github.com/file/file/commit/FILE5_28-42-g10ee4ec [4] https://github.com/file/file/commit/FILE5_24-31-g3aa35aa [5] https://github.com/file/file/commit/FILE5_25-3-gb0ccffd
diff -Nru file-5.22+15/debian/changelog file-5.22+15/debian/changelog --- file-5.22+15/debian/changelog 2016-05-09 08:23:30.000000000 +0200 +++ file-5.22+15/debian/changelog 2016-12-04 10:00:07.000000000 +0100 @@ -1,3 +1,9 @@ +file (1:5.22+15-2+deb8u3) stable; urgency=medium + + * Fix memory leak in magic loader. Closes: #840754 + + -- Christoph Biedl <debian.a...@manchmal.in-ulm.de> Sun, 04 Dec 2016 10:00:07 +0100 + file (1:5.22+15-2+deb8u2) stable; urgency=high * Fix CVE-2015-8865: diff -Nru file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch --- file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch 1970-01-01 01:00:00.000000000 +0100 +++ file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch 2016-12-02 00:00:46.000000000 +0100 @@ -0,0 +1,32 @@ +Subject: Don't leak memory when loading non-compiled files +Origin: FILE5_24-31-g3aa35aa +Upstream-Author: Christos Zoulas <chris...@zoulas.com> +Date: Thu Sep 10 13:59:47 2015 +0000 + +--- a/src/apprentice.c ++++ b/src/apprentice.c +@@ -538,6 +538,7 @@ + private void + apprentice_unmap(struct magic_map *map) + { ++ size_t i; + if (map == NULL) + return; + +@@ -550,6 +551,8 @@ + #endif + case MAP_TYPE_MALLOC: + free(map->p); ++ for (i = 0; i < MAGIC_SETS; i++) ++ free(map->magic[i]); + break; + case MAP_TYPE_USER: + break; +@@ -1285,6 +1288,7 @@ + file_oomem(ms, sizeof(*map)); + return NULL; + } ++ map->type = MAP_TYPE_MALLOC; + + /* print silly verbose header for USG compat. */ + if (action == FILE_CHECK) diff -Nru file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch --- file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch 1970-01-01 01:00:00.000000000 +0100 +++ file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch 2016-12-04 09:36:35.000000000 +0100 @@ -0,0 +1,22 @@ +Subject: PR/569: Shi Yin: Fix memory leak +Origin: FILE5_28-42-g10ee4ec +Upstream-Author: Christos Zoulas <chris...@zoulas.com> +Date: Sun Sep 11 13:53:02 2016 +0000 +Comment: Only relevant parts of that commit were used + +--- a/src/apprentice.c ++++ b/src/apprentice.c +@@ -404,11 +404,11 @@ + { + struct mlist *ml; + +- mlp->map = idx == 0 ? map : NULL; ++ mlp->map = NULL; + if ((ml = CAST(struct mlist *, malloc(sizeof(*ml)))) == NULL) + return -1; + +- ml->map = NULL; ++ ml->map = idx == 0 ? map : NULL; + ml->magic = map->magic[idx]; + ml->nmagic = map->nmagic[idx]; + diff -Nru file-5.22+15/debian/patches/series file-5.22+15/debian/patches/series --- file-5.22+15/debian/patches/series 2016-05-09 08:10:53.000000000 +0200 +++ file-5.22+15/debian/patches/series 2016-12-04 09:50:30.000000000 +0100 @@ -13,3 +13,5 @@ cherry-pick.FILE5_24-22-g27b4e34.parameter-1.patch cherry-pick.FILE5_24-23-g4ddb783.parameter-2.patch CVE-2015-8865.6713ca4.patch +cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch +cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch
diff --git a/src/apprentice.c b/src/apprentice.c index 1b574c5..ec7ac36 100644 --- a/src/apprentice.c +++ b/src/apprentice.c @@ -404,11 +404,11 @@ add_mlist(struct mlist *mlp, struct magic_map *map, size_t idx) { struct mlist *ml; - mlp->map = idx == 0 ? map : NULL; + mlp->map = NULL; if ((ml = CAST(struct mlist *, malloc(sizeof(*ml)))) == NULL) return -1; - ml->map = NULL; + ml->map = idx == 0 ? map : NULL; ml->magic = map->magic[idx]; ml->nmagic = map->nmagic[idx]; @@ -538,6 +538,7 @@ free: private void apprentice_unmap(struct magic_map *map) { + size_t i; if (map == NULL) return; @@ -550,6 +551,8 @@ apprentice_unmap(struct magic_map *map) #endif case MAP_TYPE_MALLOC: free(map->p); + for (i = 0; i < MAGIC_SETS; i++) + free(map->magic[i]); break; case MAP_TYPE_USER: break; @@ -1285,6 +1288,7 @@ apprentice_load(struct magic_set *ms, const char *fn, int action) file_oomem(ms, sizeof(*map)); return NULL; } + map->type = MAP_TYPE_MALLOC; /* print silly verbose header for USG compat. */ if (action == FILE_CHECK)
signature.asc
Description: Digital signature