Bug 973755 - Use-after-free in environment due to unsafe use of putenv().
Summary: Use-after-free in environment due to unsafe use of putenv().
Status: CLOSED DUPLICATE of bug 1176204
Alias: None
Product: Fedora
Classification: Fedora
Component: libical (Show other bugs)
(Show other bugs)
Version: 19
Hardware: Unspecified Unspecified
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2013-06-12 15:45 UTC by David Woodhouse
Modified: 2015-02-09 17:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-02-09 17:26:47 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 630690 None None None Never

Description David Woodhouse 2013-06-12 15:45:56 UTC
It is not permitted to use setenv() or putenv() in threaded applications. Or, therefore, in any library which expects to be *used* from threaded applications.

libical does so: https://sourceforge.net/p/freeassociation/bugs/86/

Comment 1 Milan Crha 2013-06-13 21:04:13 UTC
I would say it's better to deal with this upstream, and once they decide, backport the change for the time the next upstream release with the approved fix will be out. By the way, were you actually able to reproduce the use-after-free in putenv/setenv/getenv relation in libical?

Comment 2 David Woodhouse 2013-06-13 22:31:31 UTC
The only reason I noticed it is because valgrind complained about the use-after-free. It *might* have been responsible for any weird crashes we've seen in the past, which may have been hard to track back to the specific cause, but would have been called "random memory corruption".

Absolutely *anything* that uses getenv() — and there are lot of those in libc and elsewhere — could have found itself holding a pointer to a "string" which was in fact pointing to freed and potentially reallocated memory. Imagine the potential for fun ☺

Comment 3 Milan Crha 2013-06-14 07:26:07 UTC
OK, could you paste here the snippet of the valgrind long, please? Also, what is your libical version, please? The current rawhide has 1.0 version.

Comment 4 David Woodhouse 2013-06-14 07:52:22 UTC

==14004== Invalid read of size 8
==14004==    at 0x3909238724: getenv (getenv.c:80)
==14004==    by 0x3909304AE7: __res_vinit (res_init.c:471)
==14004==    by 0x39092DAA06: gaih_inet (getaddrinfo.c:806)
==14004==    by 0x39092DE6FC: getaddrinfo (getaddrinfo.c:2396)

==14004==  Address 0x1a133af8 is 88 bytes inside a block of size 632 free'd
==14004==    at 0x4A082F7: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14004==    by 0x390923891F: __add_to_environ (setenv.c:142)
==14004==    by 0x39092387CC: putenv (putenv.c:78)
==14004==    by 0x4A0C4E7: putenv (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14004==    by 0x3924435B10: set_tz (icaltime.c:342)
==14004==    by 0x39244367B4: icaltime_as_timet_with_zone (icaltime.c:435)
==14004==    by 0x3DE1234A4B: time_from_isodate (e-cal-time-util.c:656)

Comment 5 Robert Scheck 2013-10-19 23:57:32 UTC
From what I get, upstream did still not fix this yet, right?

Comment 6 Milan Crha 2013-11-04 20:43:32 UTC
(In reply to Robert Scheck from comment #5)
> From what I get, upstream did still not fix this yet, right?

I'm not aware of any upstream libical report, but it doesn't mean much, as I do not follow their development closely.

Comment 7 Fedora End Of Life 2015-01-09 18:24:22 UTC
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Milan Crha 2015-02-09 17:26:47 UTC

*** This bug has been marked as a duplicate of bug 1176204 ***

Note You need to log in before you can comment on or make changes to this bug.