Description of problem: this command always segfaults: gpg-agent --enable-ssh-support --use-standard-socket --daemon (at least when you have the MALLOC_PERTURB_ envvar set to nonzero) Version-Release number of selected component (if applicable): gnupg2-2.0.17-2.fc16.i686 How reproducible: every time Steps to Reproduce: 1. env -i MALLOC_PERTURB_=23 \ gpg-agent --enable-ssh-support --use-standard-socket --daemon Actual results: Program received signal SIGSEGV, Segmentation fault Expected results: exit 0 Additional info: This happens only when MALLOC_PERTURB_ is nonzero. That suggests use of pointer to freed or uninitialized heap memory. This is *not* a problem with x86_64 rawhide's gnupg2-2.0.18-1.fc17.x86_64. I haven't tested on i686 rawhide or on x86_64 F16. Note that in the log below, r->f_hook is obviously an invalid (freed?) pointer. Considering that this failure is in the guts of pth code, I compared pth versions. Both are pth-2.0.7-10. $ env -i MALLOC_PERTURB_=23 \ gdb --args gpg-agent --enable-ssh-support --use-standard-socket --daemon (gdb) r Starting program: /usr/bin/gpg-agent --enable-ssh-support --use-standard-socket --daemon Detaching after fork from child process 21634. GPG_AGENT_INFO=/home/meyering/.gnupg/S.gpg-agent:21634:1; export GPG_AGENT_INFO; SSH_AUTH_SOCK=/home/meyering/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK; SSH_AGENT_PID=21634; export SSH_AGENT_PID; Program received signal SIGSEGV, Segmentation fault. __pth_ring_append (r=0x809a730, rn=0x8089ba8) at pth_ring.c:166 166 rn->rn_prev = r->r_hook->rn_prev; (gdb) p *r $1 = { r_hook = 0x8e8e8e8e, r_nodes = 2391707278 } (gdb) bt #0 __pth_ring_append (r=0x809a730, rn=0x8089ba8) at pth_ring.c:166 #1 0x462418f9 in pth_mutex_acquire (ev_extra=<optimized out>, tryonly=<optimized out>, mutex=<optimized out>) at pth_sync.c:101 #2 pth_mutex_acquire (mutex=0x8089ba8, tryonly=0, ev_extra=0x0) at pth_sync.c:45 #3 0x0806eafe in es_list_iterate (iterator=<optimized out>) at estream.c:391 #4 es_fflush (stream=0x0) at estream.c:2682 #5 0x0806eb60 in es_deinit () at estream.c:444 #6 0x460c9111 in __run_exit_handlers (status=0, listp=0x46233324, run_list_atexit=true) at exit.c:78 #7 0x460c919d in __GI_exit (status=0) at exit.c:100 #8 0x0804e1d3 in main (argc=Cannot access memory at address 0x8e8e8e8e) at gpg-agent.c:1200
I've set priority to "HIGH". Anything that can make a security-sensitive tool like gpg segfault is important enough to fix ASAP.
Can you please try this build: http://koji.fedoraproject.org/koji/buildinfo?buildID=264361 At least for me it fixed the crashing and the related code (estream.c) is touched in the upstream update.
Thanks. With that, it no longer segfaults for me, either.
gnupg2-2.0.18-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/gnupg2-2.0.18-1.fc16
Package gnupg2-2.0.18-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnupg2-2.0.18-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/gnupg2-2.0.18-1.fc16 then log in and leave karma (feedback).
gnupg2-2.0.18-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.