Your message dated Sat, 21 Mar 2026 16:39:30 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-openssl-devel] Bug#1127439: Bug#1127439: Resolved
has caused the Debian Bug report #1127439,
regarding openssl: MD5_Final performing out-of-bounds-write
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127439
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 3.0.18-1~deb12u2
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
When initializing clamav, it initializes a message digest context using
EVP_MD_CTX_new(). After doing its work, it uses MD5_Final to finalize
the message digest, but doing so performs an out-of-bunds write.
Here is the report from valgrind about the out-of-bounds write and where
it was allocated from:
==18420== Invalid write of size 8
==18420== at 0x1311D234: memset (vg_replace_strmem.c:1358)
==18420== by 0xA2017B1: MD5_Final (md5.c:288)
==18420== by 0x158F7D6A: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420== by 0x157E7870: EVP_DigestFinal_ex (in
/usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420== by 0x1321AAC9: cl_finish_hash (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x1321F823: cli_hashstream (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x13206CAD: ??? (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x13206EAD: ??? (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x132116C8: ??? (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x132145F1: cl_load (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x69FBC2C: <clamav_rs::engine::Engine>::load_databases
(engine.rs:165)
==18420== by 0x66DA75F: uldatacatalog::drive::av::init (av.rs:110)
==18420== Address 0x18139d20 is 4 bytes after a block of size 92 alloc'd
==18420== at 0x131137B4: malloc (vg_replace_malloc.c:381)
==18420== by 0x158253E8: CRYPTO_zalloc (in
/usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420== by 0x157E8ACC: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420== by 0x1321AA49: cl_hash_init (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x1321F7D1: cli_hashstream (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x13206CAD: ??? (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x13206EAD: ??? (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x132116C8: ??? (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x132145F1: cl_load (in
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420== by 0x69FBC2C: <clamav_rs::engine::Engine>::load_databases
(engine.rs:165)
==18420== by 0x66DA75F: uldatacatalog::drive::av::init (av.rs:110)
==18420== by 0x62B35C5: uldatacatalog::init::{closure#0} (lib.rs:258)
-- System Information:
Debian Release: 12.13
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500,
'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.8.0-90-generic (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages openssl depends on:
ii libc6 2.36-9+deb12u13
ii libssl3 3.0.18-1~deb12u2
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20230311+deb12u1
-- no debconf information
--- End Message ---
--- Begin Message ---
On 2026-02-10 12:11:58 [-0800], Max Burke wrote:
> It was an included dependency that due to build configuration was using
> libcrypto but rather including its own MD5_Final, which then the loader
> selected when another shared object (libclamav) was loaded.
Closing then.
Sebastian
--- End Message ---
