Red Hat Bugzilla – Bug 973755
Use-after-free in environment due to unsafe use of putenv().
Last modified: 2015-02-09 12:26:47 EST
It is not permitted to use setenv() or putenv() in threaded applications. Or, therefore, in any library which expects to be *used* from threaded applications.
libical does so: https://sourceforge.net/p/freeassociation/bugs/86/
I would say it's better to deal with this upstream, and once they decide, backport the change for the time the next upstream release with the approved fix will be out. By the way, were you actually able to reproduce the use-after-free in putenv/setenv/getenv relation in libical?
The only reason I noticed it is because valgrind complained about the use-after-free. It *might* have been responsible for any weird crashes we've seen in the past, which may have been hard to track back to the specific cause, but would have been called "random memory corruption".
Absolutely *anything* that uses getenv() — and there are lot of those in libc and elsewhere — could have found itself holding a pointer to a "string" which was in fact pointing to freed and potentially reallocated memory. Imagine the potential for fun ☺
OK, could you paste here the snippet of the valgrind long, please? Also, what is your libical version, please? The current rawhide has 1.0 version.
==14004== Invalid read of size 8
==14004== at 0x3909238724: getenv (getenv.c:80)
==14004== by 0x3909304AE7: __res_vinit (res_init.c:471)
==14004== by 0x39092DAA06: gaih_inet (getaddrinfo.c:806)
==14004== by 0x39092DE6FC: getaddrinfo (getaddrinfo.c:2396)
==14004== Address 0x1a133af8 is 88 bytes inside a block of size 632 free'd
==14004== at 0x4A082F7: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14004== by 0x390923891F: __add_to_environ (setenv.c:142)
==14004== by 0x39092387CC: putenv (putenv.c:78)
==14004== by 0x4A0C4E7: putenv (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14004== by 0x3924435B10: set_tz (icaltime.c:342)
==14004== by 0x39244367B4: icaltime_as_timet_with_zone (icaltime.c:435)
==14004== by 0x3DE1234A4B: time_from_isodate (e-cal-time-util.c:656)
From what I get, upstream did still not fix this yet, right?
(In reply to Robert Scheck from comment #5)
> From what I get, upstream did still not fix this yet, right?
I'm not aware of any upstream libical report, but it doesn't mean much, as I do not follow their development closely.
This message is a notice that Fedora 19 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 19. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 19 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
*** This bug has been marked as a duplicate of bug 1176204 ***