[pkg-opensc-maint] Bug#802118: Bug#802118: libengine-pkcs11-openssl: Functions to set static global data may cause memory leak.

Eric Dorland eric at debian.org
Sun Oct 18 21:31:08 UTC 2015

* persmule (persmule at gmail.com) wrote:
> Package: libengine-pkcs11-openssl
> Version: 0.1.8-5
> Severity: grave
> Tags: security
> Justification: user security hole
> Dear Maintainer,
> Functions in src/engine_pkcs11.c to set static global data (set_module,
> set_pin, get_pin and set_init_args) do not free memories pointed by the
> corresponding pointers before assigning them to newly allocated
> memories, which
> may cause memory leaks if they are called more than once.
> The bugs related to set_module, set_pin and get_pin are fixed on
> upstream, but
> the one of set_init_args is not.

Agreed that these are valid memory leaks but what's the security
implication? This doesn't seem obviously exploitable.

Eric Dorland <eric at kuroneko.ca>
43CF 1228 F726 FD5B 474C  E962 C256 FBD5 0022 1E93
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-opensc-maint/attachments/20151018/ebec569d/attachment.sig>

More information about the pkg-opensc-maint mailing list