[pkg-opensc-maint] Bug#802118: Bug#802118: libengine-pkcs11-openssl: Functions to set static global data may cause memory leak.

[Persmule]

Dear Maintainer,

I have filed a patch for set_init_args (thus the bugs related to these
four functions are fixed completely) to upstream on github, which has
been merged into its master branch 6 hours ago.

Please check.

On Sun, 18 Oct 2015 17:31:08 -0400 Eric Dorland <eric at debian.org> wrote:
> * persmule (persmule at gmail.com) wrote:
> > Package: libengine-pkcs11-openssl
> > Version: 0.1.8-5
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Dear Maintainer,
> >
> > Functions in src/engine_pkcs11.c to set static global data (set_module,
> > set_pin, get_pin and set_init_args) do not free memories pointed by the
> > corresponding pointers before assigning them to newly allocated
> > memories, which
> > may cause memory leaks if they are called more than once.
> >
> > The bugs related to set_module, set_pin and get_pin are fixed on
> > upstream, but
> > the one of set_init_args is not.
>
> Agreed that these are valid memory leaks but what's the security
> implication? This doesn't seem obviously exploitable.
>
> --
> Eric Dorland <eric at kuroneko.ca>
> 43CF 1228 F726 FD5B 474C E962 C256 FBD5 0022 1E93


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-opensc-maint/attachments/20151027/67101a31/attachment.sig>