Bug#1127439: openssl: MD5_Final performing out-of-bounds-write

Sun, 08 Feb 2026 10:27:14 -0800 

Package: openssl
Version: 3.0.18-1~deb12u2
Severity: normal
X-Debbugs-Cc: [email protected]

Dear Maintainer,

When initializing clamav, it initializes a message digest context using
EVP_MD_CTX_new(). After doing its work, it uses MD5_Final to finalize
the message digest, but doing so performs an out-of-bunds write.

Here is the report from valgrind about the out-of-bounds write and where
it was allocated from:


==18420== Invalid write of size 8
==18420==    at 0x1311D234: memset (vg_replace_strmem.c:1358)
==18420==    by 0xA2017B1: MD5_Final (md5.c:288)
==18420==    by 0x158F7D6A: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420==    by 0x157E7870: EVP_DigestFinal_ex (in 
/usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420==    by 0x1321AAC9: cl_finish_hash (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x1321F823: cli_hashstream (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x13206CAD: ??? (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x13206EAD: ??? (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x132116C8: ??? (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x132145F1: cl_load (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x69FBC2C: <clamav_rs::engine::Engine>::load_databases 
(engine.rs:165)
==18420==    by 0x66DA75F: uldatacatalog::drive::av::init (av.rs:110)
==18420==  Address 0x18139d20 is 4 bytes after a block of size 92 alloc'd
==18420==    at 0x131137B4: malloc (vg_replace_malloc.c:381)
==18420==    by 0x158253E8: CRYPTO_zalloc (in 
/usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420==    by 0x157E8ACC: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==18420==    by 0x1321AA49: cl_hash_init (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x1321F7D1: cli_hashstream (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x13206CAD: ??? (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x13206EAD: ??? (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x132116C8: ??? (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x132145F1: cl_load (in 
/usr/lib/x86_64-linux-gnu/libclamav.so.12.0.3)
==18420==    by 0x69FBC2C: <clamav_rs::engine::Engine>::load_databases 
(engine.rs:165)
==18420==    by 0x66DA75F: uldatacatalog::drive::av::init (av.rs:110)
==18420==    by 0x62B35C5: uldatacatalog::init::{closure#0} (lib.rs:258)


-- System Information:
Debian Release: 12.13
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.8.0-90-generic (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages openssl depends on:
ii  libc6    2.36-9+deb12u13
ii  libssl3  3.0.18-1~deb12u2

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20230311+deb12u1

-- no debconf information

Reply via email to