On Fri, 28 Aug 2009 09:06:40 +0300, Niko Tyni wrote: > > Anyway, you've seen my tentative diff, and I also have time on Friday > > and Sunday for any changes and uploads. > Thanks for picking this up Gregor. Not sure if a testcase can be found > through the CVE entries, so I'm attaching one for your convenience.
Thanks a lot! Here's the output of the package in stable: gre...@tux:/tmp/bzip$ dd if=/dev/zero bs=16384 count=1 | bzip2 - | valgrind perl bunzip2.pl >/dev/null 1+0 records in 1+0 records out 16384 bytes (16 kB) copied, 3.4281e-05 s, 478 MB/s ==2620== Memcheck, a memory error detector. ==2620== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==2620== Using LibVEX rev 1854, a library for dynamic binary translation. ==2620== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==2620== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework. ==2620== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==2620== For more details, rerun with: -v ==2620== ==2620== Invalid write of size 1 ==2620== at 0x64245AC: XS_Compress__Raw__Bunzip2_bzinflate (in /usr/lib/perl5/auto/Compress/Raw/Bzip2/Bzip2.so) ==2620== by 0x4ED2EBF: Perl_pp_entersub (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x4ED13A1: Perl_runops_standard (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x4ECC5EE: perl_run (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x400D0B: main (in /usr/bin/perl) ==2620== Address 0x5f759b0 is 0 bytes after a block of size 16,384 alloc'd ==2620== at 0x4C2260E: malloc (vg_replace_malloc.c:207) ==2620== by 0x4EB2545: Perl_safesysmalloc (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x4EE8A97: Perl_sv_grow (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x64242AD: XS_Compress__Raw__Bunzip2_bzinflate (in /usr/lib/perl5/auto/Compress/Raw/Bzip2/Bzip2.so) ==2620== by 0x4ED2EBF: Perl_pp_entersub (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x4ED13A1: Perl_runops_standard (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x4ECC5EE: perl_run (in /usr/lib/libperl.so.5.10.0) ==2620== by 0x400D0B: main (in /usr/bin/perl) ==2620== ==2620== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 9 from 2) ==2620== malloc/free: in use at exit: 631,829 bytes in 7,105 blocks. ==2620== malloc/free: 13,617 allocs, 6,512 frees, 4,771,390 bytes allocated. ==2620== For counts of detected errors, rerun with: -v ==2620== searching for pointers to 7,105 not-freed blocks. ==2620== checked 371,088 bytes. ==2620== ==2620== LEAK SUMMARY: ==2620== definitely lost: 629,033 bytes in 7,094 blocks. ==2620== possibly lost: 0 bytes in 0 blocks. ==2620== still reachable: 2,796 bytes in 11 blocks. ==2620== suppressed: 0 bytes in 0 blocks. ==2620== Rerun with --leak-check=full to see details of leaked memory. And here with the patch: gre...@tux:/tmp/bzip$ dd if=/dev/zero bs=16384 count=1 | bzip2 - | valgrind perl bunzip2.pl >/dev/null 1+0 records in 1+0 records out 16384 bytes (16 kB) copied, 3.3554e-05 s, 488 MB/s ==2556== Memcheck, a memory error detector. ==2556== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==2556== Using LibVEX rev 1854, a library for dynamic binary translation. ==2556== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==2556== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework. ==2556== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==2556== For more details, rerun with: -v ==2556== ==2556== ==2556== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 9 from 2) ==2556== malloc/free: in use at exit: 631,837 bytes in 7,105 blocks. ==2556== malloc/free: 13,617 allocs, 6,512 frees, 4,771,398 bytes allocated. ==2556== For counts of detected errors, rerun with: -v ==2556== searching for pointers to 7,105 not-freed blocks. ==2556== checked 371,088 bytes. ==2556== ==2556== LEAK SUMMARY: ==2556== definitely lost: 629,041 bytes in 7,094 blocks. ==2556== possibly lost: 0 bytes in 0 blocks. ==2556== still reachable: 2,796 bytes in 11 blocks. ==2556== suppressed: 0 bytes in 0 blocks. ==2556== Rerun with --leak-check=full to see details of leaked memory. > > gregor, who is just a bit confused why libcompress-raw-zlib-perl goes > > to s-p-u and libcompress-raw-bzip2-perl maybe to > > stable-security > Has the security team acked a libcompress-raw-bzip2-perl upload? > I assumed this one would go through s-p-u too. JFTR (you know it already from a CC): the security team now proposes to run libcompress-raw-bzip2-perl thrugh s-p-u, too. Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/ `- NP: Nguyên Lê: Lacrima Christi
signature.asc
Description: Digital signature
