Dear Maintainer, I have filed a patch for set_init_args (thus the bugs related to these four functions are fixed completely) to upstream on github, which has been merged into its master branch 6 hours ago.
Please check. On Sun, 18 Oct 2015 17:31:08 -0400 Eric Dorland <e...@debian.org> wrote: > * persmule (persm...@gmail.com) wrote: > > Package: libengine-pkcs11-openssl > > Version: 0.1.8-5 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Dear Maintainer, > > > > Functions in src/engine_pkcs11.c to set static global data (set_module, > > set_pin, get_pin and set_init_args) do not free memories pointed by the > > corresponding pointers before assigning them to newly allocated > > memories, which > > may cause memory leaks if they are called more than once. > > > > The bugs related to set_module, set_pin and get_pin are fixed on > > upstream, but > > the one of set_init_args is not. > > Agreed that these are valid memory leaks but what's the security > implication? This doesn't seem obviously exploitable. > > -- > Eric Dorland <e...@kuroneko.ca> > 43CF 1228 F726 FD5B 474C E962 C256 FBD5 0022 1E93
signature.asc
Description: OpenPGP digital signature
