Package: libsasl2-modules Version: 2.1.28+dfsg-10The Debian patch 0029-Load-OpenSSL3-legacy-provider-digestmd5.patch introduces a memory leak into plugins/digestmd5.c:init_rc4(). It adds a call to:
cipher = EVP_CIPHER_fetch(ossl3_ctx->libctx, "RC4", "");
but does not free the result with EVP_CIPHER_free(). I successfully
tested a fix, which was to initialize cipher to NULL and add just after
done: block:
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_CIPHER_free(cipher);
#endif
