search

strophe / libstrophe

A simple, lightweight C library for writing XMPP clients
http://strophe.im/libstrophe
Other
401 stars 163 forks source link

Double free in gnutls library #177

Closed pasis closed 3 years ago

pasis commented 3 years ago 
==22549== Invalid free() / delete / delete[] / realloc()
==22549==    at 0x402D358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==22549==    by 0x40EA896: ??? (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40EAAFA: gnutls_subject_alt_names_deinit (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40DD6B7: ??? (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40DFBBD: gnutls_x509_crt_get_subject_alt_othername_oid (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x8051866: _tls_get_id_on_xmppaddr.isra.0 (tls_gnutls.c:107)
==22549==    by 0x8051A52: _tls_id_on_xmppaddr (tls_gnutls.c:134)
==22549==    by 0x8051B6C: tls_id_on_xmppaddr_num (tls_gnutls.c:168)
==22549==    by 0x8049534: main (test_xmppaddr.c:37)
==22549==  Address 0x45ccdd0 is 0 bytes inside a block of size 67 free'd
==22549==    at 0x402D358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==22549==    by 0x40DD891: ??? (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40DFBBD: gnutls_x509_crt_get_subject_alt_othername_oid (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x8051866: _tls_get_id_on_xmppaddr.isra.0 (tls_gnutls.c:107)
==22549==    by 0x8051A52: _tls_id_on_xmppaddr (tls_gnutls.c:134)
==22549==    by 0x8051B6C: tls_id_on_xmppaddr_num (tls_gnutls.c:168)
==22549==    by 0x8049534: main (test_xmppaddr.c:37)
==22549==  Block was alloc'd at
==22549==    at 0x402C17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==22549==    by 0x40B2CBD: ??? (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40DF636: ??? (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40EAE37: gnutls_x509_ext_import_subject_alt_names (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40DD5E9: ??? (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x40DFBBD: gnutls_x509_crt_get_subject_alt_othername_oid (in /usr/lib/i386-linux-gnu/libgnutls.so.30.6.2)
==22549==    by 0x8051866: _tls_get_id_on_xmppaddr.isra.0 (tls_gnutls.c:107)
==22549==    by 0x8051A52: _tls_id_on_xmppaddr (tls_gnutls.c:134)
==22549==    by 0x8051B6C: tls_id_on_xmppaddr_num (tls_gnutls.c:168)
==22549==    by 0x8049534: main (test_xmppaddr.c:37)

This issue is reproducible on Ubuntu 16.04 32bit and not reproducible on latest Gentoo 64bit.

gnutls version in Ubuntu: 3.4.10

pasis commented 3 years ago

Ubuntu 20.04 with gnutls 3.6.13 doesn't report the issue.

sjaeckel commented 3 years ago

This is an issue inside GnuTLS ... seems like Ubuntu gave up on maintaining this package pretty early if they stopped at 3.4.10 ... the latest version of the 3.4 series is 3.4.17 ... Debian seems to have packaged until 3.4.14 ...

This GnuTLS version is nearly 5 years old and 16.04 is out of the regular maintenance updates and will only receive updates if you're a paying customer ... IMO either we find a paying customer to report this to Canonical or we can ignore this.

@ueno are you aware of this issue?

@ametzler highlighting you here only FYI, as you're the maintainer of https://salsa.debian.org/gnutls-team/gnutls IIUC

@nmav highlighting you here as you were GnuTLS maintainer at the time this version was released and you're now at Canonical :)

ametzler commented 3 years ago

@sjaeckel: Please do not mistake "stopped at version x" for "gave up on maintaining". See https://www.debian.org/security/faq.en.html#oldversion Debian 9 (stretch) is not supported directly by the Debian (and its security team) anymore https://lists.debian.org/debian-announce/2020/msg00004.html The Debian LTS project might provide an update though. Did you bisect this?

sjaeckel commented 3 years ago

Please do not mistake "stopped at version x" for "gave up on maintaining".

Definitely not :)

Did you bisect this?

Sorry, no I didn't investigate further than checking the versions.

ueno commented 3 years ago

I wasn't aware, but the offending code has been removed as part of this change, backported to the 3.5 branch during the 3.6 development cycle. Therefore I believe it's no longer applicable to any maintained gnutls releases in upstream.

pasis commented 3 years ago

Thank you all for update! I've changed Ubuntu version to 20.04 in the travis config. Closing this issue.