> [...]
> >
> > The patch in Debian (most likely my fault) semantically amounts to this:
> >
> > if(!(buffer = cli_malloc(FILEBUFF))){
> > close(s);
> > }
> > close(d);
> > return -1;
> >
> > Instead of this:
> >
> > if(!(buffer = cli_malloc(FILEBUFF))){
> > close(s);
> > close(d);
> > return -1;
> > }
> >
> > In other words, the buggy version in Debian always closes the fd d and
> > returns -1 from that block of code, rather than only doing those two
> > thing if the malloc fails.
> >
> > Hope that makes it clearer.
>
> OMG, I forgot about the missing { } -- I guess we should ask the security team
> to wait for another upload fixing this? I can do it, but would like to get
> your
> ok.
> Well, that is a bug indeed, but the cli_filecopy function (which contains that code) is never actually called!? So, should we fix it or not? Best, Michael
pgpIES0LW5AJK.pgp
Description: PGP signature
_______________________________________________ Pkg-clamav-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-clamav-devel
