Bug#1137320: libstring-compare-constanttime-perl: Debian patch for CVE-2024-13939 in trixie causes random segfaults due to random memory reads

Matthew Horsfall (alh) wolfsage at gmail.com
Fri May 22 14:16:37 BST 2026 

Package: libstring-compare-constanttime-perl
Version: 0.321-3
Severity: important
X-Debbugs-Cc: wolfsage at gmail.com

Dear Maintainer,

I noticed on Trixie that my code using String::Compare::ConstantTime would randomly crash.

In debugging it, I isolated the problem to the patch included in Debian for CVE-2024-13939
seen here: https://sources.debian.org/patches/libstring-compare-constanttime-perl/0.321-3/

The patch constructs a memory address from two different pointers, which, if the high bits
of one pointer does not match the high bits of the other pointer, points to a random 
memory location. Reading from that location causes a segfault:

    +  unsigned char *s;
    +  unsigned char r;
    +  uintptr_t mask;
    +
    +  /* Orchestrate a dummy compare which never matches and whose run-time does
    +   * not stand out if a_len != b_len */
    +  r = (a_len != b_len);
    +  /* Branching-less: s = (r) ? b : a */
    +  mask = 0u - r;
    +  s = (unsigned char *)(((uintptr_t)b & mask) | ((uintptr_t)a & ~mask));
    +
    +  for (i = 0; i < b_len; i++) {
    +    r |= *s++ ^ *b++;
       }

For more details and a reproducer, see:

https://github.com/hoytech/String-Compare-ConstantTime/pull/21/#pullrequestreview-4345646603

Thanks,

-- Matthew Horsfall (alh)



-- System Information:
Debian Release: 13.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.16.3+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages libstring-compare-constanttime-perl depends on:
ii  libc6                       2.41-12+deb13u3
ii  perl                        5.40.1-6
ii  perl-base [perlapi-5.40.1]  5.40.1-6

libstring-compare-constanttime-perl recommends no packages.

libstring-compare-constanttime-perl suggests no packages.

-- no debconf information

More information about the pkg-perl-maintainers mailing list