Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello, I (and Heiko from exim upstream) would like to fix #845569 in jessie. sid/testing already include the fix, it was part of 4.88~RC6. The issue is a memleak in the GnuTLS code, the patch is a towo line change. Heiko has provided a very nice writeup in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845569#20 thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -Nru exim4-4.84.2/debian/changelog exim4-4.84.2/debian/changelog
--- exim4-4.84.2/debian/changelog 2016-12-22 12:17:01.000000000 +0100
+++ exim4-4.84.2/debian/changelog 2017-01-02 19:42:06.000000000 +0100
@@ -1,3 +1,11 @@
+exim4 (4.84.2-2+deb8u3) jessie; urgency=medium
+
+ * 94_Fix-memory-leak-on-Gnu-TLS-close.patch from upstream exim-4_84_2+fixes
+ branch: Fix GnuTLS memory leak. (Thanks, Heiko Schlittermann!)
+ Closes: #845569
+
+ -- Andreas Metzler <ametz...@debian.org> Mon, 02 Jan 2017 19:18:05 +0100
+
exim4 (4.84.2-2+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch
exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch
--- exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch
1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch
2016-12-31 17:46:00.000000000 +0100
@@ -0,0 +1,52 @@
+From 867e8fe25dbfb1e31493488ad695bde55b890397 Mon Sep 17 00:00:00 2001
+From: "Heiko Schlittermann (HS12-RIPE)" <h...@schlittermann.de>
+Date: Wed, 23 Nov 2016 12:02:26 +0100
+Subject: [PATCH] Fix memory leak on (Gnu)TLS close.
+
+This leak doesn't show up under normal operation, as the process
+normally dies right after closing the session.
+
+But during callout repetitive TLS sessions are opened and closed from
+the same process (the process receiving the message). Depending on
+the amount of RAM and the number of callouts the same process does,
+this may be a problem. (On an amd64 machine with 4GB RAM, at about 1000
+recipients the memory is exhausted.)
+
+(cherry picked from commit ed62aae3051c9a713d35c8ae516fbd193d1401ba)
+---
+ src/tls-gnu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/tls-gnu.c b/src/tls-gnu.c
+index 61ed0e81..670f8cbc 100644
+--- a/src/tls-gnu.c
++++ b/src/tls-gnu.c
+@@ -1729,6 +1729,7 @@ if (rc != GNUTLS_E_SUCCESS)
+
+ if (!sigalrm_seen)
+ {
++ gnutls_certificate_free_credentials(state->x509_cred);
+ (void)fclose(smtp_out);
+ (void)fclose(smtp_in);
+ }
+@@ -2014,6 +2015,8 @@ if (shutdown)
+ }
+
+ gnutls_deinit(state->session);
++gnutls_certificate_free_credentials(state->x509_cred);
++
+
+ state->tlsp->active = -1;
+ memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
+@@ -2074,6 +2077,8 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
+ receive_smtp_buffered = smtp_buffered;
+
+ gnutls_deinit(state->session);
++ gnutls_certificate_free_credentials(state->x509_cred);
++
+ state->session = NULL;
+ state->tlsp->active = -1;
+ state->tlsp->bits = 0;
+--
+2.11.0
+
diff -Nru exim4-4.84.2/debian/patches/series exim4-4.84.2/debian/patches/series
--- exim4-4.84.2/debian/patches/series 2016-12-22 12:17:01.000000000 +0100
+++ exim4-4.84.2/debian/patches/series 2016-12-31 17:45:15.000000000 +0100
@@ -23,3 +23,4 @@
91_Expansions-Fix-crash-in-crypteq-On-OpenBSD-a-bad-sec.patch
92_CVE-2016-1238.diff
93_CVE-2016-9963-Fix-DKIM-information-leakage.patch
+94_Fix-memory-leak-on-Gnu-TLS-close.patch
signature.asc
Description: PGP signature
