[pkg-opensc-maint] Bug#802118: Bug#802118: libengine-pkcs11-openssl: Functions to set static global data may cause memory leak.
persmule at gmail.com
Tue Oct 27 03:02:14 UTC 2015
I have filed a patch for set_init_args (thus the bugs related to these
four functions are fixed completely) to upstream on github, which has
been merged into its master branch 6 hours ago.
On Sun, 18 Oct 2015 17:31:08 -0400 Eric Dorland <eric at debian.org> wrote:
> * persmule (persmule at gmail.com) wrote:
> > Package: libengine-pkcs11-openssl
> > Version: 0.1.8-5
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > Dear Maintainer,
> > Functions in src/engine_pkcs11.c to set static global data (set_module,
> > set_pin, get_pin and set_init_args) do not free memories pointed by the
> > corresponding pointers before assigning them to newly allocated
> > memories, which
> > may cause memory leaks if they are called more than once.
> > The bugs related to set_module, set_pin and get_pin are fixed on
> > upstream, but
> > the one of set_init_args is not.
> Agreed that these are valid memory leaks but what's the security
> implication? This doesn't seem obviously exploitable.
> Eric Dorland <eric at kuroneko.ca>
> 43CF 1228 F726 FD5B 474C E962 C256 FBD5 0022 1E93
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the pkg-opensc-maint