Dear Maintainer, I don't know whether it is easy to exploit. But I believe every memory bug related to a security-oriented package is grave.
By the way, I managed creating a patch locally, may it be useful for you. Persmule On Sun, 18 Oct 2015 17:31:08 -0400 Eric Dorland <e...@debian.org> wrote: > * persmule (persm...@gmail.com) wrote: > > Package: libengine-pkcs11-openssl > > Version: 0.1.8-5 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Dear Maintainer, > > > > Functions in src/engine_pkcs11.c to set static global data (set_module, > > set_pin, get_pin and set_init_args) do not free memories pointed by the > > corresponding pointers before assigning them to newly allocated > > memories, which > > may cause memory leaks if they are called more than once. > > > > The bugs related to set_module, set_pin and get_pin are fixed on > > upstream, but > > the one of set_init_args is not. > > Agreed that these are valid memory leaks but what's the security > implication? This doesn't seem obviously exploitable. > > -- > Eric Dorland <e...@kuroneko.ca> > 43CF 1228 F726 FD5B 474C E962 C256 FBD5 0022 1E93
Description: <short summary of the patch> Functions in src/engine_pkcs11.c to set static global data (set_module, set_pin, get_pin and set_init_args) do not free memories pointed by the corresponding pointers before assigning them to newly allocated memories, which may cause memory leaks if they are called more than once. . engine-pkcs11 (0.1.8-5.1) unstable; urgency=medium . * src/engine_pkcs11.c: Prevent potential memory leak (fix #802118) Author: Xie Tianming <persm...@gmail.com> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, <url of original patch> Bug: <url in upstream bugtracker> Bug-Debian: https://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: <YYYY-MM-DD> --- engine-pkcs11-0.1.8.orig/src/engine_pkcs11.c +++ engine-pkcs11-0.1.8/src/engine_pkcs11.c @@ -62,10 +62,22 @@ static char *init_args = NULL; int set_module(const char *modulename) { + free(module); module = modulename ? strdup(modulename) : NULL; return 1; } +/* Free PIN storage in secure way. */ +static void zero_pin(void) +{ + if (pin != NULL) { + OPENSSL_cleanse(pin, pin_length); + free(pin); + pin = NULL; + pin_length = 0; + } +} + /** * Set the PIN used for login. A copy of the PIN shall be made. * @@ -89,6 +101,7 @@ int set_pin(const char *_pin) /* Copy the PIN. If the string cannot be copied, NULL shall be returned and errno shall be set. */ + zero_pin(); pin = strdup(_pin); if (pin != NULL) pin_length = strlen(pin); @@ -115,6 +128,7 @@ static int get_pin(UI_METHOD * ui_method /* pin in the call back data, copy and use */ if (mycb != NULL && mycb->password) { + zero_pin(); pin = (char *)calloc(MAX_PIN_LENGTH, sizeof(char)); if (!pin) return 0; @@ -147,6 +161,7 @@ static int get_pin(UI_METHOD * ui_method int set_init_args(const char *init_args_orig) { + free(init_args); init_args = init_args_orig ? strdup(init_args_orig) : NULL; return 1; }
engine-pkcs11 (0.1.8-5.1) unstable; urgency=medium
* src/engine_pkcs11.c: Prevent potential memory leak (fix #802118)
-- Xie Tianming <persm...@gmail.com> Mon, 19 Oct 2015 09:19:53 +0800
engine-pkcs11 (0.1.8-5) unstable; urgency=medium
* debian/source/options, debian/source/patch-header: Remove obsolete
source control files.
* debian/watch: Fix URL.
* debian/control: Move maintainer to
pkg-opensc-ma...@lists.alioth.debian.org to and myself to Uploaders.
* debian/copyright: Move to DEP5 copyright file.
* debian/gbp.conf: Use pristine-tar.
* debian/control, debian/rules: Use dh-autoreconf.
-- Eric Dorland <e...@debian.org> Sun, 10 May 2015 15:49:32 -0400
engine-pkcs11 (0.1.8-4) unstable; urgency=medium
* debian/control: Standards-Version to 3.9.6.
* debian/control: Add Vcs-* fields.
* debian/control: Add Homepage field.
* debian/watch: Update with new GitHub location.
* debian/control: Run wrap-and-sort.
-- Eric Dorland <e...@debian.org> Sat, 20 Sep 2014 19:03:02 -0400
engine-pkcs11 (0.1.8-3) unstable; urgency=low
* debian/control, debian/rules: Use autotools-dev.
* debian/compat, debian/control: Use debhelper v9.
* debian/control: Upgrade Standards-Version to 3.9.4.
-- Eric Dorland <e...@debian.org> Wed, 11 Sep 2013 23:52:42 -0400
engine-pkcs11 (0.1.8-2) unstable; urgency=low
* debian/rules: Actually install the engine in the correct
location.(Closes: #566971)
-- Eric Dorland <e...@debian.org> Tue, 09 Feb 2010 02:33:41 -0500
engine-pkcs11 (0.1.8-1) unstable; urgency=low
* New upstream release. (Closes: #564056)
* debian/libengine-pkcs11-openssl.links: Engine is now installed into
the correct location under /usr/lib/ssl/engines, add a symlink to the
old location for compatibility. (Closes: 506772)
-- Eric Dorland <e...@debian.org> Sun, 10 Jan 2010 03:45:56 -0500
engine-pkcs11 (0.1.7-1) unstable; urgency=low
* New upstream release.
* debian/source/format, debian/source/options,
debian/source/patch-header: Convert to v3 quilt format, with
single-debian-patch.
* debian/control:
- Build depend on the correct version of debhelper.
- Add ${misc:Depends}.
* debian/rules, debian/libengine-pkcs11-openssl.doc-base: Install docs,
fix up paths and use the right doc-base section.
-- Eric Dorland <e...@debian.org> Sun, 10 Jan 2010 03:18:54 -0500
engine-pkcs11 (0.1.6-1) unstable; urgency=low
* New upstream release.
* debian/control:
- Now requires libp11 >= 0.2.5.
- Depend on debhelper > 7, remove cdbs.
- Standards-Version to 3.8.3.
* debian/rules: Switch to dh.
* debian/compat: Add, version 7.
-- Eric Dorland <e...@debian.org> Sun, 23 Aug 2009 19:20:25 -0400
engine-pkcs11 (0.1.5-1) unstable; urgency=low
* New upstream release.
* debian/rules:
- Update for new ChangeLog location.
- Install docs in the right place with --htmldir.
* debian/libengine-pkcs11-openssl.docs: No need for this file anymore.
* debian/libengine-pkcs11-openssl.doc-base: Update for new location.
-- Eric Dorland <e...@debian.org> Mon, 06 Apr 2009 03:23:28 -0400
engine-pkcs11 (0.1.4-2) unstable; urgency=low
[ Cyril Brulebois ]
* src/engine_pkcs11.c: Backport revision 110 (upstream ticket #11) to fix
failure to ask a PIN, often rendering the smartcard locked: check for
mycb not being NULL before trying to dereference it, in
src/engine_pkcs11.c's get_pin(). Thanks to Aron Griffis for both
Debian and upstream bug reports. (Closes: #503298).
-- Eric Dorland <e...@debian.org> Sun, 09 Nov 2008 01:21:09 -0500
engine-pkcs11 (0.1.4-1) unstable; urgency=low
* New upstream release.
* debian/control: Up Standard-Version to 3.7.2.2.
-- Eric Dorland <e...@debian.org> Sat, 21 Jul 2007 14:22:04 -0400
engine-pkcs11 (0.1.3-2) unstable; urgency=low
* debian/control: Standards-Version to 3.7.2.1.
* debian/watch: Update to new location and switch to version 3.
-- Eric Dorland <e...@debian.org> Sun, 23 Jul 2006 01:30:12 -0400
engine-pkcs11 (0.1.3-1) unstable; urgency=low
* New upstream release.
* debian/control:
- Build depend on the newer libp11-dev, since it's
necessary.
- We need libltdl3-dev.
-- Eric Dorland <e...@debian.org> Fri, 9 Dec 2005 00:30:03 -0500
engine-pkcs11 (0.1.2-1) unstable; urgency=low
* Initial release.
-- Eric Dorland <e...@debian.org> Tue, 29 Nov 2005 01:47:32 -0500
signature.asc
Description: OpenPGP digital signature
