Re: gthumb CVE-2018-18718 - CWE-415: Double Free

[Herbert Fortes <terberh@gmail.com>]

On 03/11/2018 08:27, Herbert Fortes wrote:
> Hi Markus,
>
> > Hi,
> >
> > Am 02.11.18 um 12:18 schrieb Herbert Fortes:
> > [...]
> > > I made the package to Jessie and put at people.debian.org[1].
> > > I am not sure about the version - '+deb8u1' or '~deb8u1'.
> >
> > Thank you very much for preparing an update of gthumb. The patch looks
> > good to me. I am fine with an upload to Jessie to fix this bug even if
> > it has no apparent security impact. Since you are the maintainer and
> > also a Debian developer, do you want to take care of the upload
> > yourself? Then please follow our guidelines at
> > https://wiki.debian.org/LTS/Development, test the package and upload it
> > to jessie-security and send the DLA announcement. I suggest to remove
> > the Non-maintainer upload line in the changelog because you are the
> > maintainer anyway. +deb8u1 is correct because the version must be
> > greater and 3:3.3.1-2~deb8u1 is less than 3:3.3.1-2.
>
> Ok. I replaced the 'Non-maintainer upload' line saying that I am
> the current maintainer. I did not change the debian/control file.
>
> I tested the contact_sheet extension from a chroot and it did not
> crashed. But I also tried to crash it in stable - no fix - without
> success. I think my tests are not good. I created the index with a
> thumbnails. And have no problems using it.
>
> The crash must happen?

I think it does. I got this from internet:



#include <stdio.h>
#include <stdlib.h>

int main(){
	void *p = malloc(1);
	free(p);
	p = NULL;
	free(p);
	return 0;
}



Regards,
Herbert