Package: libc6 Version: 2.3.2.ds1-13 Severity: serious Tags: patch Certain kinds of problems in glob() result in a GLOB_ABORTED return value. In these circumstances, the glob_t passed in is likely to contain partial results (per POSIX), and thus, globfree() needs to be called to prevent a memory leak. Unfortunately, glob() itself calls globfree() under certain circumstances. Calling globfree() again (which is legal and in fact mandated under POSIX) causes certain portions of the structure to be double-freed. Under many circumstances, this results in infinite loops or SIGSEGV during the next malloc. The best way to fix it is for globfree() to do housekeeping on the glob_t it's freeing, by setting gl_pathc to 0 and gl_pathv to NULL. Then, when globfree() is called the second time, it knows to do nothing. A patch to that effect is attached (in debian/patches form). (This is the same bug, basically, as 260767, except that the source of the double-free I complained about has now been discovered.) The severity is serious because this bug causes the LSB tests to hang, specifically /tset/LSB.os/genuts/glob/T.glob 30.
Attachment:
globfree-clear-pathc.dpatch
Description: application/shellscript