I apologize for the pause. I'm somewhat inexperienced at git, and am unsure how to make a pull request to a non-github repository.
The commit I showed you is still at [1], but I've now cherry-picked it into its own branch at [2]. I've also run a `git request-pull` on my local machine, whose results I have copied below, but I don't think that actually sent anything to you. How do I make a pull request? Sorry for such a newbie question. Output of `git request-pull`: """ alan-14:03>git request-pull -p master https://github.com/keyme/libfprint g_malloc0 The following changes since commit 9570c36fd42bff6246de50ace398a457b9495b46: build: Fix running autogen.sh out-of-tree (2016-07-19 11:18:58 +0200) are available in the git repository at: https://github.com/keyme/libfprint g_malloc0 for you to fetch changes up to 0d0fa5a523662e69c3929b2fe530d9d36e2f06d3: Fix security hole: zero out memory when allocated (2016-08-23 14:03:03 -0400) ---------------------------------------------------------------- Alan Davidson (1): Fix security hole: zero out memory when allocated libfprint/data.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) """ - Alan [1] https://github.com/keyme/libfprint/commit/1b71aff9ea389c427f9f8bfaabf8aa0acde37269 [2] https://github.com/keyme/libfprint/compare/g_malloc0?expand=1 On Fri, Aug 19, 2016 at 12:49 PM, Alan Davidson <[email protected]> wrote: > Thanks for taking a look! and thanks for maintaining this library; it's > very useful. > > - Alan > > On Fri, Aug 19, 2016 at 1:56 AM, Vasily Khoruzhick <[email protected]> > wrote: > >> Hi Alan, >> >> Thanks for your e-mail and patch. >> >> I expect it to be in worst case some re-used memory of libfprint, so >> it's not really a security leak, since the only sensitive information >> is saved to the disk. But I'll take your patch. >> >> Regards, >> Vasily >> >> On Thu, Aug 18, 2016 at 3:01 PM, Alan Davidson <[email protected]> wrote: >> > Hi libfprint folks - >> > >> > I was enrolling fingerprints and saving the data to files (using >> > fp_print_data_get_data), when I noticed that the data section for the >> > minutiae had interesting stuff in the unused parts. This is to say, the >> > xyt_struct (from bozorth.h) allocates space for 200 minutiae, and if I >> only >> > use 50 of them, the other 150 are still allocated and have stuff in >> them. >> > These values come from things that were previously allocated and >> deallocated >> > on the heap, and the data is still there because it wasn't zeroed out >> when >> > we re-allocated it. >> > >> > I think it should be zeroed out, to prevent leaking whatever used to be >> in >> > this memory. What do you think? It's a very easy change; see the commit >> at >> > [1], though I'm unclear how to transfer it to your repo. Without this >> > change, enrolled fingerprints saved to file on my computer have non-null >> > data in the unused minutiae, and with it, all the unused minutiae are >> full >> > of null bytes. >> > >> > A little more detail: this happens in fpi_img_to_print_data (in img.c), >> when >> > we create a new item to store the minutiae in xyt format. The data is >> later >> > copied wholesale into the output buffer in fp_print_data_get_data. >> > >> > Thanks for taking a look! >> > >> > - Alan >> > >> > [1] >> > https://github.com/keyme/libfprint/commit/1b71aff9ea389c427f >> 9f8bfaabf8aa0acde37269 >> > >> > _______________________________________________ >> > fprint mailing list >> > [email protected] >> > https://lists.freedesktop.org/mailman/listinfo/fprint >> > >> > >
_______________________________________________ fprint mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/fprint
