Package: mhash Version: 0.9.9.9-7 Severity: normal Tags: patch pending Dear maintainer,
Via Ubuntu we found a use-after-free in mhash. The testsuite fails with a segfault, with the following backtrace: Program received signal SIGSEGV, Segmentation fault. tcache_get (tc_idx=2) at malloc.c:2937 2937 malloc.c: No such file or directory. (gdb) bt #0 tcache_get (tc_idx=2) at malloc.c:2937 #1 __GI___libc_malloc (bytes=36) at malloc.c:3051 #2 0xf7f9c0c5 in mutils_malloc (n=36) at stdfns.c:91 #3 0xf7f9b670 in mhash_init_int (type=MHASH_MD5) at mhash.c:319 #4 0xf7f9b86c in mhash_init (type=MHASH_MD5) at mhash.c:430 #5 0xf7f9b957 in mhash_hmac_deinit (td=0x5655a2e0, result=0x5655a390) at mhash.c:479 #6 0xf7f9ba9b in mhash_hmac_end_m (td=0x5655a2e0, hash_malloc=0xf7f9c0a0 <mutils_malloc>) at mhash.c:529 #7 0xf7f9bad2 in mhash_hmac_end (td=0x5655a2e0) at mhash.c:536 #8 0x565563d3 in main () at hmac_test.c:93 This is a use after free - see the attached diff. I've prepared an NMU for mhash (versioned as 0.9.9.9-7.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ]
diff -Nru mhash-0.9.9.9/debian/changelog mhash-0.9.9.9/debian/changelog --- mhash-0.9.9.9/debian/changelog 2014-05-24 08:48:29.000000000 +0100 +++ mhash-0.9.9.9/debian/changelog 2019-09-04 09:53:54.000000000 +0100 @@ -1,3 +1,12 @@ +mhash (0.9.9.9-7.1) unstable; urgency=medium + + * Non-maintainer upload. + * debian/patches/0015-mhash-0.9.9-no-free-before-use.patch: Take patch from + Fedora to fix use-after-free in the testsuite, which is failing in Ubuntu + and likely will in Debian at some point. + + -- Iain Lane <i...@orangesquash.org.uk> Wed, 04 Sep 2019 09:53:54 +0100 + mhash (0.9.9.9-7) unstable; urgency=medium * add build dependency on pkg-config for its autoconf macros. diff -Nru mhash-0.9.9.9/debian/patches/0015-mhash-0.9.9-no-free-before-use.patch mhash-0.9.9.9/debian/patches/0015-mhash-0.9.9-no-free-before-use.patch --- mhash-0.9.9.9/debian/patches/0015-mhash-0.9.9-no-free-before-use.patch 1970-01-01 01:00:00.000000000 +0100 +++ mhash-0.9.9.9/debian/patches/0015-mhash-0.9.9-no-free-before-use.patch 2019-09-04 09:48:01.000000000 +0100 @@ -0,0 +1,16 @@ +Description: Don't free the 'tmp' variable when it's used later. +Author: Hanno Böck +Origin: https://src.fedoraproject.org/rpms/mhash/c/baa57fdba46abadbac4d05762d8812db1cb1b93d?branch=master + +diff -up mhash-0.9.9.9/src/hmac_test.c.nofree mhash-0.9.9.9/src/hmac_test.c +--- mhash-0.9.9.9/src/hmac_test.c.nofree 2019-07-29 14:44:55.856345469 -0400 ++++ mhash-0.9.9.9/src/hmac_test.c 2019-07-29 14:45:11.466021935 -0400 +@@ -72,7 +72,7 @@ int main() + return(MUTILS_INVALID_RESULT); + } + +- mutils_free(tmp); ++ /* mutils_free(tmp); */ + + /* Test No 2 */ + diff -Nru mhash-0.9.9.9/debian/patches/series mhash-0.9.9.9/debian/patches/series --- mhash-0.9.9.9/debian/patches/series 2014-05-24 08:43:38.000000000 +0100 +++ mhash-0.9.9.9/debian/patches/series 2019-09-04 09:46:16.000000000 +0100 @@ -12,3 +12,4 @@ 0012-autoconf-toe-step.patch 0013-autotools-updates.patch 0014-generate-mhash.pc.patch +0015-mhash-0.9.9-no-free-before-use.patch
signature.asc
Description: PGP signature