Build Update for openssl/openssl ------------------------------------- Build: #38343 Status: Still Failing
Duration: 1 hr, 30 mins, and 23 secs Commit: 3d7e7e7 (master) Author: jwalch Message: Prevent potential UAF in init_thread_deregister() I discovered the potential for use-after-free on glob_tevent_reg & its members in this function as a consequence of some static (de-)initialization fiasco in C++ client code. Long story short, an EVP_PKEY_free() was happening after OPENSSL_cleanup(). Aside from being freed the EVP_PKEY object wasn't actually being used after cleanup, it was basically just an ordering issue. Obviously the application behavior here is somewhat suspect, but IMO is basically benign. Crashing (most typical outcome of a UAF) doesn't seem the optimal response. At any rate, the issue can be avoided (at least with regard to this function) by simply updating the pointer to NULL rather than leaving it pointing to the freed memory, as is the typical practice. Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13267) View the changeset: https://github.com/openssl/openssl/compare/d1ca39112386...3d7e7e7c4821 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/197234692?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.