Package: stunnel4 Version: 3:5.50-3 Severity: important Dear Maintainer,
When running AWS efs-utils( https://github.com/aws/efs-utils), which relies on stunnel4, I see a lot of syslog messages of the form: stunnel: INTERNAL ERROR: Bad magic at options.c, line 1035 This message appears to be due to lines 28-29 of debian/patches/04-restore-pidfile-default.patch: - new_global_options.pidfile=NULL; /* do not create a pid file */ + new_global_options.pidfile=PIDFILE; I think these lines should instead be: - new_global_options.pidfile=NULL; /* do not create a pid file */ + new_global_options.pidfile=str_dup(PIDFILE) This is because, when a SIGHUP signal is received, stunnel will attempt to reload the configuration file. In the process of doing that it will call str_free() on the pidfile path string, as shown in the CMD_FREE case clause of the same switch statement to which the above patch lines apply. (This case clause corresponds to lines 1051-1055 of the unpatched file src/options.c.) This bug seems like it could cause memory corruption issues, so I labeled it as important. Feel free to change the severity if this was incorrect. I didn't find this bug already reported in BTS, but I did find it reported in Ubuntu's bug tracker: https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1901784 I also verified that this bug is still in the testing and unstable version of the stunnel4 package (3:5.56+dfsg-9). Thank you, Shane Frasier -- System Information: Debian Release: 10.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-16-cloud-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages stunnel4 depends on: ii adduser 3.118 ii libc6 2.28-10 ii libssl1.1 1.1.1d-0+deb10u6 ii libsystemd0 241-7~deb10u7 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii netbase 5.6 ii openssl 1.1.1d-0+deb10u6 ii perl 5.28.1-6+deb10u1 stunnel4 recommends no packages. Versions of packages stunnel4 suggests: pn logcheck-database <none> -- no debconf information
