[Debian-iot-maintainers] Bug#1001328: closed by Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Nicolas Mora <babelouest at debian.org>) (Bug#1001328: fixed in ulfius 2.7.7-1)

Harald Welte laforge at gnumonks.org
Thu Dec 9 10:13:20 GMT 2021 

Thanks a lot for the very fast response in tagging 2.7.7 and hence fixing the problem
for unstable.  

However, I am not sure if this bug should be closed yet as 'stable'
(debian 11 / bullseye)  also must be fixed.  As bullseye cannot update
the upstream package version, a patch must be introduced to the Debian
package.

Or Should there be a separate Debian bug filed for bullseye?

Regards,
	Harald

On Wed, Dec 08, 2021 at 10:51:07PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the libulfius2.7 package:
> 
> #1001328: ulfius_url_{encode,decode} call malloc instad of o_malloc
> 
> It has been closed by Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Nicolas Mora <babelouest at debian.org>).
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Nicolas Mora <babelouest at debian.org>) by
> replying to this email.
> 
> 
> -- 
> 1001328: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001328
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems

> Date: Wed, 08 Dec 2021 22:49:03 +0000
> From: Debian FTP Masters <ftpmaster at ftp-master.debian.org>
> To: 1001328-close at bugs.debian.org
> Subject: Bug#1001328: fixed in ulfius 2.7.7-1
> 
> Source: ulfius
> Source-Version: 2.7.7-1
> Done: Nicolas Mora <babelouest at debian.org>
> 
> We believe that the bug you reported is fixed in the latest version of
> ulfius, which is due to be installed in the Debian FTP archive.
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 1001328 at bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Nicolas Mora <babelouest at debian.org> (supplier of updated ulfius package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster at ftp-master.debian.org)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Wed, 08 Dec 2021 17:27:55 -0500
> Source: ulfius
> Architecture: source
> Version: 2.7.7-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian IoT Maintainers <debian-iot-maintainers at lists.alioth.debian.org>
> Changed-By: Nicolas Mora <babelouest at debian.org>
> Closes: 1000989 1001328
> Changes:
>  ulfius (2.7.7-1) unstable; urgency=medium
>  .
>    [Paride Legovini]
>    * d/t/unit-test: run with ::1 in no_proxy (LP: #1945634)
>  .
>    [Nicolas Mora]
>    * New upstream release (Closes: #1001328)
>    * Fix testsuite fail with proxy (Closes: #1000989)
> Checksums-Sha1:
>  bc04f875dd92b8b321e06eafaddcccce43e49f0e 2383 ulfius_2.7.7-1.dsc
>  d90f0b97fa56eb843262917efdac6150f48e36cd 254242 ulfius_2.7.7.orig.tar.gz
>  43d07ea68eb09fd23392037c77dae9593b587f71 8136 ulfius_2.7.7-1.debian.tar.xz
>  45088fb5008d501b4eea6be734c8f4073a074ee3 9007 ulfius_2.7.7-1_amd64.buildinfo
> Checksums-Sha256:
>  d8928e0c34c8fd2aae09c34f3609dcadb710ad6acdbabed850d15215d892fdc3 2383 ulfius_2.7.7-1.dsc
>  e39bfac8e6ef3ed1b2633d4d617f82549ed88b0f2bb0bc85928d1189c4d2e0de 254242 ulfius_2.7.7.orig.tar.gz
>  c57370a08744e1ef69e442f9ceacb1aa43affa74d921791e3557f70257311704 8136 ulfius_2.7.7-1.debian.tar.xz
>  e7370d60798c3d39a495d9b0672fc49ab9f82d8809d4c35501092a8d9bc49a48 9007 ulfius_2.7.7-1_amd64.buildinfo
> Files:
>  4c422f579f4d516b21439b3d6e0c7fd8 2383 devel optional ulfius_2.7.7-1.dsc
>  79ddaefa4a340af5ff98c3578f3a6ea7 254242 devel optional ulfius_2.7.7.orig.tar.gz
>  5d1c4412d40793fd98f0854947b42aa6 8136 devel optional ulfius_2.7.7-1.debian.tar.xz
>  827592668a59abfaeb867a287d275a1e 9007 devel optional ulfius_2.7.7-1_amd64.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmGxMhYACgkQ/oITlEC9
> Irnd6RAApgAv0IL3ghLnZvDXx9vPi87yD/DFrV0siy+3dFYHVvXVpvGLV3Y+Waej
> WkW9hrrax/6NmAQrKRBJQAO4hMbE/jCSwokrmeMhTsq/Yh6dEF8YKUd/TCOd5uM0
> +rdg/mEt2k3izb6S0MH2HznZKRce4cFUVJoND2m9sN7HnXdHl7G96e1103REOtNA
> fhzS2MhPcXyChoADOdyfEK6IkLU7LfK2Av59uLazVZYBXLYzThIn0VKfZH1RL02A
> Bsw4kmEbDlM9DpMILR8tUIgv3RqjryG9pqmd7MQPDaIQaiV4MrO2vYCLxOnyNUbn
> 7I2nV8jYJlyw4IyJkNfjonaclIsOChUZNYl4N/id8JTgjxMjUNiDszjhFFZz9kdr
> yXqoSP++WoySHpVz7qm3oo27s/n+YVKZoI2jT+B9fwcMM/q7tZvVwnhhvLIx2f+4
> JXRPFbHSk/6sGv6dyjgkKRJspdMGZ/T+RtXuuyllkDfTOrVanUWDjZZmks5dmay4
> 2BHDFhmIY1B7G6mzxyUl8Zww6qzceG74B0lYhdlaLAzy/ONTFDQwU6NkaO82bRaP
> R5khmDs177eiL6iqMIMXtVkLDekJHz0LSciGHymfD03zpDVdY9ENNh0oYCiAURxe
> YYaz4mMdTMkNtgWEwvoBvEjaqF1BDWKL+VqAh8eA8fDT6ABP/es=
> =MPC8
> -----END PGP SIGNATURE-----

> Date: Wed, 08 Dec 2021 17:15:22 +0100
> From: Harald Welte <laforge at gnumonks.org>
> To: Debian Bug Tracking System <submit at bugs.debian.org>
> Subject: ulfius_url_{encode,decode} call malloc instad of o_malloc
> X-Mailer: reportbug 11.1.0
> 
> Package: libulfius2.7
> Version: 2.7.6-1
> Severity: important
> Tags: patch upstream
> X-Debbugs-Cc: Nicolas Mora <github at babelouest.org>
> 
> Ulfius has the capability of applications registering their own memory
> allocation functions using o_set_alloc_funcs(), as described in API.md
> at 
> https://github.com/babelouest/ulfius/blob/master/API.md#memory-management
> 
> Applications such as osmo-remsim make use of this feature to introduce
> libtalloc as a tool to help locating memory leaks.
> 
> However, from 2.6.0 up to 2.7.6 and current master, ulfius introduced
> a bug which renders this feature unusable:  Some new code started to bypass
> the application-provided malloc-functio but directly call libc-malloc
> while passing that libc-malloc-allocated memory to the application-provided
> free-function.  As every memory allocator expects to receive only memory it
> has allocated to its free-function, this immediately crashes every application
> with custom allocator functions.
> 
> The upstream bug report is at https://github.com/babelouest/ulfius/issues/206
> 
> The upstream pull request is at https://github.com/babelouest/ulfius/pull/207
> 
> Debian will need to patch/update the ulfius packages for bullseye + sid.
> Debian buster is not affected, as it still ships ulfius 2.5.x which is prior
> to introducing the bug.
> 
> -- System Information:
> Debian Release: bookworm/sid
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 5.14.0-4-amd64 (SMP w/4 CPU threads)
> Kernel taint flags: TAINT_DIE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages libulfius2.7 depends on:
> ii  libc6            2.32-5
> ii  libcurl3-gnutls  7.79.1-2
> ii  libgnutls30      3.7.2-2
> ii  libjansson4      2.13.1-1.1
> ii  libmicrohttpd12  0.9.73-4
> ii  liborcania2.2    2.2.1-1+b1
> ii  libyder2.0       1.4.14-1
> ii  zlib1g           1:1.2.11.dfsg-2
> 
> libulfius2.7 recommends no packages.
> 
> libulfius2.7 suggests no packages.
> 
> -- no debconf information

> From a2951c32475a79fccfaa06b7c3c36297c6f6cf5b Mon Sep 17 00:00:00 2001
> From: Harald Welte <laforge at osmocom.org>
> Date: Wed, 8 Dec 2021 16:57:12 +0100
> Subject: [PATCH] u_request: Don't use malloc, but always o_malloc
> 
> Allocating memory using malloc, but then free'ing it using o_free will
> not work for anyone using a custom memory allocator.   The allocations
> and free's must either both go to libc, or both via the custom
> allocator; one cannot allocate one way and release another.
> 
> Closes: #206
> ---
>  src/u_request.c | 2 +-
>  src/ulfius.c    | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/u_request.c b/src/u_request.c
> index 385572b..8203c5e 100644
> --- a/src/u_request.c
> +++ b/src/u_request.c
> @@ -143,7 +143,7 @@ static char from_hex(char ch) {
>   */
>  static char * url_decode(const char * str) {
>    if (str != NULL) {
> -    char * pstr = (char*)str, * buf = malloc(strlen(str) + 1), * pbuf = buf;
> +    char * pstr = (char*)str, * buf = o_malloc(strlen(str) + 1), * pbuf = buf;
>      while (* pstr) {
>        if (* pstr == '%') {
>          if (pstr[1] && pstr[2]) {
> diff --git a/src/ulfius.c b/src/ulfius.c
> index 0d7da36..8a0caa6 100644
> --- a/src/ulfius.c
> +++ b/src/ulfius.c
> @@ -1842,7 +1842,7 @@ static char to_hex(char code) {
>  char * ulfius_url_encode(const char * str) {
>    char * pstr = (char*)str, * buf = NULL, * pbuf = NULL;
>    if (str != NULL) {
> -    buf = malloc(strlen(str) * 3 + 1);
> +    buf = o_malloc(strlen(str) * 3 + 1);
>      if (buf != NULL) {
>        pbuf = buf;
>        while (* pstr) {
> @@ -1876,7 +1876,7 @@ char * ulfius_url_encode(const char * str) {
>  char * ulfius_url_decode(const char * str) {
>    char * pstr = (char*)str, * buf = NULL, * pbuf = NULL;
>    if (str != NULL) {
> -    buf = malloc(strlen(str) + 1);
> +    buf = o_malloc(strlen(str) + 1);
>      if (buf != NULL) {
>        pbuf = buf;
>        while (* pstr) {
> -- 
> 2.34.1
> 



-- 
- Harald Welte <laforge at gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

More information about the Debian-iot-maintainers mailing list