Bug#849967: jessie-pu: package exim4/4.84.2-2+deb8u3

Andreas Metzler ametzler at bebt.de
Mon Jan 2 18:44:53 UTC 2017 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu

Hello,

I (and Heiko from exim upstream) would like to fix #845569 in jessie.
sid/testing already include the fix, it was part of 4.88~RC6.

The issue is a memleak in the GnuTLS code, the patch is a towo line
change. Heiko has provided a very nice writeup in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845569#20

thanks, cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
diff -Nru exim4-4.84.2/debian/changelog exim4-4.84.2/debian/changelog
--- exim4-4.84.2/debian/changelog	2016-12-22 12:17:01.000000000 +0100
+++ exim4-4.84.2/debian/changelog	2017-01-02 19:42:06.000000000 +0100
@@ -1,3 +1,11 @@
+exim4 (4.84.2-2+deb8u3) jessie; urgency=medium
+
+  * 94_Fix-memory-leak-on-Gnu-TLS-close.patch from upstream exim-4_84_2+fixes
+    branch: Fix GnuTLS memory leak. (Thanks, Heiko Schlittermann!)
+    Closes: #845569
+
+ -- Andreas Metzler <ametzler at debian.org>  Mon, 02 Jan 2017 19:18:05 +0100
+
 exim4 (4.84.2-2+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch
--- exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch	2016-12-31 17:46:00.000000000 +0100
@@ -0,0 +1,52 @@
+From 867e8fe25dbfb1e31493488ad695bde55b890397 Mon Sep 17 00:00:00 2001
+From: "Heiko Schlittermann (HS12-RIPE)" <hs at schlittermann.de>
+Date: Wed, 23 Nov 2016 12:02:26 +0100
+Subject: [PATCH] Fix memory leak on (Gnu)TLS close.
+
+This leak doesn't show up under normal operation, as the process
+normally dies right after closing the session.
+
+But during callout repetitive TLS sessions are opened and closed from
+the same process (the process receiving the message). Depending on
+the amount of RAM and the number of callouts the same process does,
+this may be a problem. (On an amd64 machine with 4GB RAM, at about 1000
+recipients the memory is exhausted.)
+
+(cherry picked from commit ed62aae3051c9a713d35c8ae516fbd193d1401ba)
+---
+ src/tls-gnu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/tls-gnu.c b/src/tls-gnu.c
+index 61ed0e81..670f8cbc 100644
+--- a/src/tls-gnu.c
++++ b/src/tls-gnu.c
+@@ -1729,6 +1729,7 @@ if (rc != GNUTLS_E_SUCCESS)
+ 
+   if (!sigalrm_seen)
+     {
++    gnutls_certificate_free_credentials(state->x509_cred);
+     (void)fclose(smtp_out);
+     (void)fclose(smtp_in);
+     }
+@@ -2014,6 +2015,8 @@ if (shutdown)
+   }
+ 
+ gnutls_deinit(state->session);
++gnutls_certificate_free_credentials(state->x509_cred);
++
+ 
+ state->tlsp->active = -1;
+ memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
+@@ -2074,6 +2077,8 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
+     receive_smtp_buffered = smtp_buffered;
+ 
+     gnutls_deinit(state->session);
++    gnutls_certificate_free_credentials(state->x509_cred);
++
+     state->session = NULL;
+     state->tlsp->active = -1;
+     state->tlsp->bits = 0;
+-- 
+2.11.0
+
diff -Nru exim4-4.84.2/debian/patches/series exim4-4.84.2/debian/patches/series
--- exim4-4.84.2/debian/patches/series	2016-12-22 12:17:01.000000000 +0100
+++ exim4-4.84.2/debian/patches/series	2016-12-31 17:45:15.000000000 +0100
@@ -23,3 +23,4 @@
 91_Expansions-Fix-crash-in-crypteq-On-OpenBSD-a-bad-sec.patch
 92_CVE-2016-1238.diff
 93_CVE-2016-9963-Fix-DKIM-information-leakage.patch
+94_Fix-memory-leak-on-Gnu-TLS-close.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20170102/a6f2c73f/attachment.sig>

More information about the Pkg-exim4-maintainers mailing list