Bug#623546: Double free / use-after-free bugs in dumper.c

2011-04-29 Thread Tomas Hoger 
Hey!

Fedora / Red Hat amanda packages maintainer pointed out that amfree is
a macro that does:

  amfree(ptr) -- if allocated, release space and set ptr to NULL. 

http://amanda.svn.sourceforge.net/viewvc/amanda/amanda/trunk/common-src/amanda.h?revision=3457view=markup#l461

which should make this false-positive / not-a-bug.

HTH

th.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#623546: Double free / use-after-free bugs in dumper.c

2011-04-20 Thread Silvio Cesare 
Package: amanda-server
Version: 1:2.5.2p1-4
Severity: important
Tags: security

I have been performing binary static analysis on some of the Debian 5
package repository.

I identified the following problem in amanda-2.5.2/server-src/dumper.c

if (mkpdir(indexfile_tmp, 02755, (uid_t)-1, (gid_t)-1) == -1) {
   errstr = newvstralloc(errstr,
 err create ,
 indexfile_tmp,
 : ,
 strerror(errno),
 NULL);
** amfree(indexfile_real);
** amfree(indexfile_tmp);
   goto failed;
}

..
..

failed:
..
..
if (indexfile_tmp) {
unlink(indexfile_tmp);
**  amfree(indexfile_tmp);
**  amfree(indexfile_real);
}

return 0;
}

The first set of frees appears to be incorrect and should be removed. I have
only investigated this problem on Lenny, but it should be checked to see if
this issue
is present in the stable or unstable Debian trees.

--
Silvio