Package: pidgin-sipe Version: 1.21.1-1 Severity: normal Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
--- Please enter the report below this line. --- Hi, it looks like the code of both versions 1.18.2 (stable) and 1.21.1 (stretch, sid) may be doing a use-after-free. g_output_stream_write_async() is called via the do_write() wrapper at: http://sources.debian.net/src/pidgin-sipe/1.21.1-1/src/telepathy/telepathy-transport.c/?hl=448#L431 and the buffer is freed at the next line. Unfortunately, the g_output_stream_write_async() documentation says: "Note that no copy of buffer will be made, so it must stay valid until callback is called". So I suppose g_free(buffer) should be called after the callback is executed and not just after scheduling the write. Sorry if I am mistaken, I am quite fresh to GLib and originally I wanted to use that code to learn about GLib/GIO. --- System information. --- Architecture: amd64 Kernel: Linux 3.16.0-4-amd64 Debian Release: 8.6 500 stable security.debian.org 500 stable ftp.pl.debian.org 500 oldstable ftp.pl.debian.org 50 testing security.debian.org 50 testing ftp.pl.debian.org 100 jessie-backports ftp.pl.debian.org --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty. -- Marcin Szewczyk http://wodny.org