591044 – sys-apps/diffutils-3.4: diff, diff3: use after free corrupts output (affects dispatch-conf)

Bug 591044 - sys-apps/diffutils-3.4: diff, diff3: use after free corrupts output (affects dispatch-conf)

Summary: sys-apps/diffutils-3.4: diff, diff3: use after free corrupts output (affects ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Duplicates (2):	591340 591460 (view as bug list)
Depends on:
Blocks:

Reported:	2016-08-11 16:27 UTC by jospezial
Modified:	2016-08-17 12:35 UTC (History)
CC List:	3 users (show)

See Also:	https://debbugs.gnu.org/24210
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jospezial 2016-08-11 16:27:45 UTC

This affects dispatch-conf too!

output of diff -u /etc/conf.d/zram-init /etc/conf.d/._mrg0000_zram-init with diffutils-3.4:
--- /etc/conf.d/zram-init       2016-07-01 01:22:11.858500075 +0200
+++ /etc/conf.d/._mrg0000_zram-init     2016-08-11 17:48:03.079976759 +0200
@@ -35,8 +35,16 @@
 #         The flags variable specifies the priority (16383 if empty).
 #         Use "-" in the flags variable for the default priority (-1)
 # "/..."  The device is mounted on /...
-#         The flags variable specifies the type (ext2 or ext4, default is ext4)
-# Devices with other types are ignored by the script
+ings...
+
+# load zram kernel module on start?
+load_on_start=yes
+
+# unloazram kernel module on stop?nload_on_stop=yes
+
+# Number of devices.
+# This value is also passed tthe kernel module on modprobe.
+num_devic# Devices with other types are ignored by the script
 #
 # Only variables with numbers  0 ... num_devices-1  are used by the script.
 
@@ -72,7 +80,10 @@
 maxs2=1
 algo2=lz4
 
-# swap - 500M
+ last 4 are ignored for type swabut not for the other types.
+# Specify as empty if unneeded.
+# typ, type1, ...re the variles for e types.
+#i# swap - 500M
 # With current kernels, Instead of adding an additional swap device,
 # you better increase the size and maxs value of the first swap device.
 # Thus, the following makes only sense for older kernels not supporting maxs.



output of diff -u /etc/conf.d/zram-init /etc/conf.d/._mrg0000_zram-init with diffutils-3.3:
--- /etc/conf.d/zram-init       2016-07-01 01:22:11.858500075 +0200
+++ /etc/conf.d/._mrg0000_zram-init     2016-08-11 18:14:58.664094067 +0200
@@ -35,7 +35,10 @@
 #         The flags variable specifies the priority (16383 if empty).
 #         Use "-" in the flags variable for the default priority (-1)
 # "/..."  The device is mounted on /...
-#         The flags variable specifies the type (ext2 or ext4, default is ext4)
+#         The flags variable specifies the type (ext2, ext4, or btrfs;
+#         default is ext4)
+# "-"     The filesystem (specified by flags as above) is created in
+#         /dev/zram$NUM but not mounted
 # Devices with other types are ignored by the script
 #
 # Only variables with numbers  0 ... num_devices-1  are used by the script.
@@ -72,6 +75,13 @@
 maxs2=1
 algo2=lz4
 
+# Artificial example with btrfs
+type3=- # Only format the filesystem but actually do not mount it
+flag3=btrfs
+size3=1024
+maxs3=1
+algo3=lz4
+
 # swap - 500M
 # With current kernels, Instead of adding an additional swap device,
 # you better increase the size and maxs value of the first swap device.

Comment 1 jospezial 2016-08-13 07:18:01 UTC

As of that bug report:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24210
diff3 in diffutils 3.4 is broken too.

Comment 2 Alex Xu (Hello71) 2016-08-15 19:43:11 UTC

*** Bug 591340 has been marked as a duplicate of this bug. ***

Comment 3 eroen 2016-08-15 19:48:55 UTC

This is caused by upstream commit 3b74a905c5[1], which has been reverted in commit 1a0df4396e[2] after the 3.4 release.

1: http://git.savannah.gnu.org/gitweb/?p=diffutils.git;a=commit;h=3b74a905c5460e7979c53273ac90345860d001a7
2: http://git.savannah.gnu.org/gitweb/?p=diffutils.git;a=commit;h=1a0df4396ebe3b9a58b882bb976cfce3f50d3cac

Comment 4 eroen 2016-08-15 19:49:55 UTC

It would be great if this was masked quickly, since it causes dispatch-conf to silently corrupt files.

Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-08-15 19:56:33 UTC

commit 0ac0d1883b2fbb34f8b85995cf2ce651af4ef006
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Aug 15 21:55:04 2016

    sys-apps/diffutils: Revbump to fix use-after-free bug in diff3 (bug #591044).

    Package-Manager: portage-2.3.0
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Can you please test =sys-apps/diffutils-3.4-r1 and report back if that fixes your issues?

Comment 6 Alex Xu (Hello71) 2016-08-15 20:32:11 UTC

*** Bug 591340 has been marked as a duplicate of this bug. ***

Comment 7 eroen 2016-08-16 09:51:39 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #5)
> Can you please test =sys-apps/diffutils-3.4-r1 and report back if that fixes
> your issues?

I no longer see the diff3 issue with 3.4-r1 :)

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2016-08-17 12:26:43 UTC

*** Bug 591460 has been marked as a duplicate of this bug. ***

Comment 9 Alex Xu (Hello71) 2016-08-17 12:30:02 UTC

maybe consider dropping 3.4 from tree since (AFAIK) there should be no reason to have a known-broken version in tree.

modifying summary to mention dispatch-conf to aid searches.

Comment 10 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-08-17 12:35:54 UTC

commit 8d4fcaed5f4c8788e8465ce96f9e431ff07656cd
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Aug 17 14:33:22 2016

    sys-apps/diffutils: Removed broken version (bug #591044).
    
    Package-Manager: portage-2.3.0
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>