GNU bug report logs - #61819
The CVE-2022-48337 fix seems to introduce a memory leak

Previous Next

Package: emacs;

Reported by: Adrian Bunk <bunk <at> debian.org>

Date: Sun, 26 Feb 2023 17:42:02 UTC

Severity: normal

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 61819 in the body.
You can then email your comments to 61819 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#61819; Package emacs. (Sun, 26 Feb 2023 17:42:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Adrian Bunk <bunk <at> debian.org>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Sun, 26 Feb 2023 17:42:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Adrian Bunk <bunk <at> debian.org>
To: bug-gnu-emacs <at> gnu.org
Subject: The CVE-2022-48337 fix seems to introduce a memory leak
Date: Sun, 26 Feb 2023 12:40:45 +0200

In the upstream bug for CVE-2022-48337 there was originally[1]
+          free (new_real_name);
+          free (new_tmp_name);
in the fix that later disappeared (by accident?).

This seems to introduce a memory leak, this memory allocated
by escape_shell_arg_string() is now never freed.

cu
Adrian

[1] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59817#23
Reply sent to Eli Zaretskii <eliz <at> gnu.org>:
You have taken responsibility. (Sun, 26 Feb 2023 18:05:01 GMT) Full text and rfc822 format available.
Notification sent to Adrian Bunk <bunk <at> debian.org>:
bug acknowledged by developer. (Sun, 26 Feb 2023 18:05:01 GMT) Full text and rfc822 format available.

Message #10 received at 61819-done <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Adrian Bunk <bunk <at> debian.org>
Cc: 61819-done <at> debbugs.gnu.org
Subject: Re: bug#61819: The CVE-2022-48337 fix seems to introduce a memory leak
Date: Sun, 26 Feb 2023 20:04:11 +0200

> Date: Sun, 26 Feb 2023 12:40:45 +0200
> From: Adrian Bunk <bunk <at> debian.org>
> 
> In the upstream bug for CVE-2022-48337 there was originally[1]
> +          free (new_real_name);
> +          free (new_tmp_name);
> in the fix that later disappeared (by accident?).
> 
> This seems to introduce a memory leak, this memory allocated
> by escape_shell_arg_string() is now never freed.

Thanks, fixed.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 27 Mar 2023 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 241 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.