[From nobody Sat Mar 21 15:41:06 2026 Received: (at submit) by bugs.debian.org; 8 Feb 2026 18:24:31 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-17.8 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,FOURLA,HAS_PACKAGE,KHOP_HELO_FCRDNS,SPF_SOFTFAIL, XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 94; hammy, 150; neutral, 75; spammy, 0. spammytokens: hammytokens:0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--sk:taint_o, 0.000-+--sk:TAINT_O, 0.000-+--sk:taint_u Return-path: <max@urbanlogiq.com> Received: from s010698b785219a24.vf.shawcable.net ([70.68.160.51]:21353 helo=[172.17.0.5]) by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <max@urbanlogiq.com>) id 1vp9SR-00GO3X-10 for submit@bugs.debian.org; Sun, 08 Feb 2026 18:24:31 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Max Burke <max@urbanlogiq.com> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: openssl: MD5_Final performing out-of-bounds-write Message-ID: <177057506862.19210.15979584634345579015.reportbug@3af1fdbcfab0> X-Mailer: reportbug 12.0.0 Date: Sun, 08 Feb 2026 18:24:28 +0000 Delivered-To: submit@bugs.debian.org Package: openssl Version: 3.0.18-1~deb12u2 Severity: normal X-Debbugs-Cc: max@urbanlogiq.com Dear Maintainer, When initializing clamav, it initializes a message digest context using EVP_MD_CTX_new(). After doing its work, it uses MD5_Final to finalize the message digest, but doing so performs an out-of-bunds write. Here is the report from valgrind about the out-of-bounds write and where it was allocated from: ==18420== Invalid write of size 8 ==18420== at 0x1311D234: memset (vg_replace_strmem.c:1358) ==18420== by 0xA2017B1: MD5_Final (md5.c:288) ==18420== by 0x158F7D6A: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3) ==18420== by 0x157E7870: EVP_DigestFinal_ex (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3) ==18420== by 0x1321AAC9: cl_finish_hash (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x1321F823: cli_hashstream (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x13206CAD: ??? (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x13206EAD: ??? (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x132116C8: ??? (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x132145F1: cl_load (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x69FBC2C: <clamav_rs::engine::Engine>::load_databases (engine.rs:165) ==18420== by 0x66DA75F: uldatacatalog::drive::av::init (av.rs:110) ==18420== Address 0x18139d20 is 4 bytes after a block of size 92 alloc'd ==18420== at 0x131137B4: malloc (vg_replace_malloc.c:381) ==18420== by 0x158253E8: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3) ==18420== by 0x157E8ACC: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3) ==18420== by 0x1321AA49: cl_hash_init (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x1321F7D1: cli_hashstream (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x13206CAD: ??? (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x13206EAD: ??? (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x132116C8: ??? (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x132145F1: cl_load (in /usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3) ==18420== by 0x69FBC2C: <clamav_rs::engine::Engine>::load_databases (engine.rs:165) ==18420== by 0x66DA75F: uldatacatalog::drive::av::init (av.rs:110) ==18420== by 0x62B35C5: uldatacatalog::init::{closure#0} (lib.rs:258) -- System Information: Debian Release: 12.13 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.8.0-90-generic (SMP w/32 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages openssl depends on: ii libc6 2.36-9+deb12u13 ii libssl3 3.0.18-1~deb12u2 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20230311+deb12u1 -- no debconf information ]