Bug#530131: marked as done (libcurl3-gnutls has memory corruption)

Sun, 24 May 2009 15:23:08 -0700 

Your message dated Sun, 24 May 2009 21:32:39 +0000
with message-id <[email protected]>
and subject line Bug#530131: fixed in curl 7.19.5-1
has caused the Debian Bug report #530131,
regarding libcurl3-gnutls has memory corruption
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
530131: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530131
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libcurl3-gnutls
Version: 7.18.2-8lenny2

Hello!
 I'm using libcurl-7.18.2 with GNU-TLS, with curl_multi_* interface.
I'm not using share handles. When i start my program on server with
high bandwidth rate, with a large amount of network streams, libcurl
causes memory corruption.
 I've wrote simple testcase(libcurl_bug_testcase.c), that reproduces
programs behaviour. Don't worry about irrational usage of
curl_easy_setopt, this is done to duplicate behaviour of my
apllication, which is much more complex then this testcase. Also i'm
attaching links set, with which bug appears(links.txt).
 When i run testcase under valgrind, in 80 network streams, there is
memory corruption in libcurl. There is invalid write of 4 bytes in
multi_runsingle (multi.c:907), which causes magic behaviour. You can
see it in attachment(valgrind_error_log.txt). If i run testcase
without valgrind, memory corruption results in segmentation fault.
 I checked this testcase with libcurl-7.19.5 and it seems, that bug is
fixed in it(i configured it with folowing options:
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt --without-ssl
--with-gnutls --without-libssh2).

 My system info:
    uname -a
        Linux * 2.6.26-2-686 #1 SMP Thu Mar 26 01:08:11 UTC 2009 i686 GNU/Linux

    aptitude show libcurl3-gnutls
        Package: libcurl3-gnutls
        State: installed
        Automatically installed: yes
        Version: 7.18.2-8lenny2
        Priority: optional
        Section: libs
        Maintainer: Domenico Andreoli <[email protected]>
        Uncompressed Size: 418k
        Depends: libc6 (>= 2.7-1), libgnutls26 (>= 2.4.0-0), libidn11
(>= 0.5.18), libkrb53 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7),
zlib1g (>= 1:1.1.4), ca-certificates
        Conflicts: libcurl4-gnutls
        Replaces: libcurl4-gnutls
        Description: Multi-protocol file transfer library (GnuTLS)
         libcurl is designed to be a solid, usable, reliable and
portable multi-protocol file transfer library.

         SSL support is provided by GnuTLS.

         This is the shared version of libcurl.
        Homepage: http://curl.haxx.se

    gcc -v
        Using built-in specs.
        Target: i486-linux-gnu
        Configured with: ../src/configure -v --with-pkgversion='Debian
4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3
--enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc
--enable-mpfr --enable-targets=all --enable-cld
--enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu
--target=i486-linux-gnu
        Thread model: posix
        gcc version 4.3.2 (Debian 4.3.2-1.1)

 Attachments:
    libcurl_bug_testcase.c - testcase, that reproduces memory corruption.
    links.txt - file with links, that should be passed to testcase.
    valgrind_error_log.txt - valgrind output on my server/desktop.


 With best regards, Piter Smith.

Attachment: attachments.tar.gz
Description: GNU Zip compressed data


--- End Message ---
--- Begin Message --- 
Source: curl
Source-Version: 7.19.5-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.19.5-1.diff.gz
  to pool/main/c/curl/curl_7.19.5-1.diff.gz
curl_7.19.5-1.dsc
  to pool/main/c/curl/curl_7.19.5-1.dsc
curl_7.19.5-1_amd64.deb
  to pool/main/c/curl/curl_7.19.5-1_amd64.deb
curl_7.19.5.orig.tar.gz
  to pool/main/c/curl/curl_7.19.5.orig.tar.gz
libcurl3-dbg_7.19.5-1_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.19.5-1_amd64.deb
libcurl3-gnutls_7.19.5-1_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.19.5-1_amd64.deb
libcurl3_7.19.5-1_amd64.deb
  to pool/main/c/curl/libcurl3_7.19.5-1_amd64.deb
libcurl4-gnutls-dev_7.19.5-1_amd64.deb
  to pool/main/c/curl/libcurl4-gnutls-dev_7.19.5-1_amd64.deb
libcurl4-openssl-dev_7.19.5-1_amd64.deb
  to pool/main/c/curl/libcurl4-openssl-dev_7.19.5-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Schuldei <[email protected]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sun, 24 May 2009 21:12:19 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev 
libcurl3-dbg
Architecture: source amd64
Version: 7.19.5-1
Distribution: unstable
Urgency: low
Maintainer: Domenico Andreoli <[email protected]>
Changed-By: Andreas Schuldei <[email protected]>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl 
(OpenSSL)
Closes: 530131
Changes: 
 curl (7.19.5-1) unstable; urgency=low
 .
   * New upstream release
   * Fix "libcurl3-gnutls has memory corruption" by upgrading to new upstream
     release, which fixes this bug (Closes: #530131)
   * update standards version to 3.8.1
   * adjust overrides from libdevel to debug for -dbg package
   * adjust doc-base section
Checksums-Sha1: 
 4265cf773f47590ae10f0adcb1908bfca8ba2657 1416 curl_7.19.5-1.dsc
 eb3dc0787063644cbf202311f9f29064d1d600ea 2934401 curl_7.19.5.orig.tar.gz
 12457c017b037ea4020c07daa03369ec54a73c91 86249 curl_7.19.5-1.diff.gz
 821c803f6eab5af1363c17dc6125effdfb6e8724 195324 curl_7.19.5-1_amd64.deb
 489229ab9892247b859001188e85b541286679bd 221808 libcurl3_7.19.5-1_amd64.deb
 576c3fdceb26ea9e07ddc21cf73c1e5b44f7d809 203544 
libcurl3-gnutls_7.19.5-1_amd64.deb
 dd154964935f9dd767e8c8b4a7c699fbf3b01b2d 1001450 
libcurl4-openssl-dev_7.19.5-1_amd64.deb
 1e4c439f48e35f13bdc108e2f16d0a122aaf61d5 978456 
libcurl4-gnutls-dev_7.19.5-1_amd64.deb
 31a6c81151dbb01af805668ea494ecd4a3d4ef32 75320 libcurl3-dbg_7.19.5-1_amd64.deb
Checksums-Sha256: 
 14122cad58942da0cf25157cbcc13e7d1a49a2dc7bbcdd4c93a8f494bf7c3753 1416 
curl_7.19.5-1.dsc
 2187129edf5149598fdf8f3c4d9d73cafecc136376abd2c82860cb97c4753011 2934401 
curl_7.19.5.orig.tar.gz
 2e4c542f3de9dd3987568c0d64726b30966d15880d5cbdd5b5f7b17a9d4eb9e7 86249 
curl_7.19.5-1.diff.gz
 28852bb5c6e6d145d13f8dd3c7eecbef3d3e7a6dcfb92ae68dabdef0d3822267 195324 
curl_7.19.5-1_amd64.deb
 a8c5092788cf887cf081e7956c4e31619ffd6602c44c295a8e5a0ab1bfd828e6 221808 
libcurl3_7.19.5-1_amd64.deb
 f1267683e011e4095128d193137e77266e62b56a2cdc23616076c0651e47a5e5 203544 
libcurl3-gnutls_7.19.5-1_amd64.deb
 6fe49d3be78f9a1edd53895a020436e0f81202c5f9f214740ad38a98c8c534f6 1001450 
libcurl4-openssl-dev_7.19.5-1_amd64.deb
 90a144113298be1b8c91074ae3abe5930252024ba367f9e3de85610111b827e4 978456 
libcurl4-gnutls-dev_7.19.5-1_amd64.deb
 2eca064c9f48ded61a987f584a73a37f2df1ce70f6df9c6e52567b77653b7339 75320 
libcurl3-dbg_7.19.5-1_amd64.deb
Files: 
 51d565be382de8f631db9b1c07717fa8 1416 web optional curl_7.19.5-1.dsc
 71d9bd7851b3b417083571fbe50ccc9e 2934401 web optional curl_7.19.5.orig.tar.gz
 ddf9e13f856bf80f6eb789706a516eb9 86249 web optional curl_7.19.5-1.diff.gz
 a0e7b63c8c1c8f2997f4ce2961682d9a 195324 web optional curl_7.19.5-1_amd64.deb
 cf90aa8df92a26927fedd83ed6495913 221808 libs optional 
libcurl3_7.19.5-1_amd64.deb
 fc6dbc30a53d4200e9e9f1007292d1b9 203544 libs optional 
libcurl3-gnutls_7.19.5-1_amd64.deb
 7c9f2826e6c9c89b05f833fc55e00e0b 1001450 libdevel optional 
libcurl4-openssl-dev_7.19.5-1_amd64.deb
 28330c81c401a08327dfcf668f6d3683 978456 libdevel optional 
libcurl4-gnutls-dev_7.19.5-1_amd64.deb
 e11f006c28e9785c4c72d83841f46315 75320 debug extra 
libcurl3-dbg_7.19.5-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkoZptQACgkQ8g+sC3uDV+Xk1wCgzdxLxnWLcLs7ZT3O6a5hFa2H
VfAAoIfrsgCgPkev6CUaWK2Lcw4fKf7c
=CPI9
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to