Don't use things after they're freed...duh #709

alex · 2017-11-20T12:25:36Z

No description provided.

codecov · 2017-11-20T12:33:34Z

Codecov Report

Merging #709 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #709      +/-   ##
==========================================
+ Coverage   97.01%   97.02%   +<.01%     
==========================================
  Files          16       16              
  Lines        5631     5647      +16     
  Branches      391      392       +1     
==========================================
+ Hits         5463     5479      +16     
  Misses        112      112              
  Partials       56       56

Impacted Files	Coverage Δ
src/OpenSSL/SSL.py	`94.87% <100%> (-0.02%)`	⬇️
src/OpenSSL/crypto.py	`96.86% <100%> (+0.05%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c3697ad...08f0af7. Read the comment docs.

reaperhulk · 2017-11-20T13:44:19Z

CHANGELOG.rst


+- Corrected a use-after-free with some uses of the ``X509`` API.


Should we add a sentence here to state that referencing a previously obtained issuer/subject after a subsequent set call will now raise an exception?

169: Scheduled weekly dependency update for week 48 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>hypothesis</b></td> <td align="center">3.38.0</td> <td align="center">»</td> <td align="center">3.38.5</td> <td> <a href="https://pypi.python.org/pypi/hypothesis">PyPI</a> | <a href="https://pyup.io/changelogs/hypothesis/">Changelog</a> | <a href="https://github.com/HypothesisWorks/hypothesis/issues">Repo</a> </td> <tr> <td><b>pyasn1-modules</b></td> <td align="center">0.1.5</td> <td align="center">»</td> <td align="center">0.2.1</td> <td> <a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a> </td> <tr> <td><b>pyasn1</b></td> <td align="center">0.3.7</td> <td align="center">»</td> <td align="center">0.4.2</td> <td> <a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.3.0</td> <td align="center">»</td> <td align="center">17.4.0</td> <td> <a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> <tr> <td><b>pyrsistent</b></td> <td align="center">0.14.0</td> <td align="center">»</td> <td align="center">0.14.1</td> <td> <a href="https://pypi.python.org/pypi/pyrsistent">PyPI</a> | <a href="https://pyup.io/changelogs/pyrsistent/">Changelog</a> | <a href="http://github.com/tobgu/pyrsistent/">Repo</a> </td> </tr> </table> ## Changelogs ### hypothesis 3.38.0 -> 3.38.5 >### 3.38.5 >------------------- >This fixes the repr of strategies using lambda that are defined inside >decorators to include the lambda source. >This would mostly have been visible when using the >:ref:`statistics <statistics>` functionality - lambdas used for e.g. filtering >would have shown up with a ``<unknown>`` as their body. This can still happen, >but it should happen less often now. >------------------- >### 3.38.4 >------------------- >This release updates the reported :ref:`statistics <statistics>` so that they >show approximately what fraction of your test run time is spent in data >generation (as opposed to test execution). >This work was funded by `Smarkets <https://smarkets.com/>`_. >------------------- >### 3.38.3 >------------------- >This is a documentation release, which ensures code examples are up to date >by running them as doctests in CI (:issue:`711`). >------------------- >### 3.38.2 >------------------- >This release changes the behaviour of the :attr:`~hypothesis.settings.deadline` >setting when used with :func:`~hypothesis.strategies.data`: Time spent inside >calls to ``data.draw`` will no longer be counted towards the deadline time. >As a side effect of some refactoring required for this work, the way flaky >tests are handled has changed slightly. You are unlikely to see much difference >from this, but some error messages will have changed. >This work was funded by `Smarkets <https://smarkets.com/>`_. >------------------- >### 3.38.1 >------------------- >This patch has a variety of non-user-visible refactorings, removing various >minor warts ranging from indirect imports to typos in comments. >------------------- ### pyopenssl 17.3.0 -> 17.4.0 >### 17.4.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >*none* >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Re-added a subset of the ``OpenSSL.rand`` module. > This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. > `708 <https://github.com/pyca/pyopenssl/pull/708>`_ >- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. > `709 <https://github.com/pyca/pyopenssl/pull/709>`_ >---- ### pyrsistent 0.14.0 -> 0.14.1 >### 0.14.1 > * Equality check performance improvements for pvectors and pmaps. Thanks dtomas for this! > * Avoid calling factories multiple times for fields that do not change, see PR 120 for for > details. Thanks teepark for this! That's it for now! Happy merging! 🤖

162: Scheduled weekly dependency update for week 48 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>pyasn1-modules</b></td> <td align="center">0.1.5</td> <td align="center">»</td> <td align="center">0.2.1</td> <td> <a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a> </td> <tr> <td><b>pyasn1</b></td> <td align="center">0.3.7</td> <td align="center">»</td> <td align="center">0.4.2</td> <td> <a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.3.0</td> <td align="center">»</td> <td align="center">17.4.0</td> <td> <a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> <tr> <td><b>pyrsistent</b></td> <td align="center">0.14.0</td> <td align="center">»</td> <td align="center">0.14.1</td> <td> <a href="https://pypi.python.org/pypi/pyrsistent">PyPI</a> | <a href="https://pyup.io/changelogs/pyrsistent/">Changelog</a> | <a href="http://github.com/tobgu/pyrsistent/">Repo</a> </td> </tr> </table> ## Changelogs ### pyopenssl 17.3.0 -> 17.4.0 >### 17.4.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >*none* >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Re-added a subset of the ``OpenSSL.rand`` module. > This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. > `708 <https://github.com/pyca/pyopenssl/pull/708>`_ >- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. > `709 <https://github.com/pyca/pyopenssl/pull/709>`_ >---- ### pyrsistent 0.14.0 -> 0.14.1 >### 0.14.1 > * Equality check performance improvements for pvectors and pmaps. Thanks dtomas for this! > * Avoid calling factories multiple times for fields that do not change, see PR 120 for for > details. Thanks teepark for this! That's it for now! Happy merging! 🤖

120: Scheduled weekly dependency update for week 48 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>pyasn1-modules</b></td> <td align="center">0.1.5</td> <td align="center">»</td> <td align="center">0.2.1</td> <td> <a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a> </td> <tr> <td><b>pyasn1</b></td> <td align="center">0.3.7</td> <td align="center">»</td> <td align="center">0.4.2</td> <td> <a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.3.0</td> <td align="center">»</td> <td align="center">17.4.0</td> <td> <a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> </tr> </table> ## Changelogs ### pyopenssl 17.3.0 -> 17.4.0 >### 17.4.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >*none* >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Re-added a subset of the ``OpenSSL.rand`` module. > This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. > `708 <https://github.com/pyca/pyopenssl/pull/708>`_ >- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. > `709 <https://github.com/pyca/pyopenssl/pull/709>`_ >---- That's it for now! Happy merging! 🤖

alex added 2 commits November 15, 2017 19:20

Don't use things after they're freed...duh

2e194f6

changelog

f4fa8ec

Merge branch 'master' into use-after-free-is-a-crime

32b97a5

reaperhulk reviewed Nov 20, 2017

View reviewed changes

more details

08f0af7

reaperhulk approved these changes Nov 20, 2017

View reviewed changes

reaperhulk merged commit 4aa52c3 into pyca:master Nov 20, 2017

alex deleted the use-after-free-is-a-crime branch November 20, 2017 14:15

github-actions bot locked as resolved and limited conversation to collaborators Aug 16, 2020

Don't use things after they're freed...duh #709

Don't use things after they're freed...duh #709

alex commented Nov 20, 2017

codecov bot commented Nov 20, 2017 •

edited

reaperhulk Nov 20, 2017


		- Corrected a use-after-free with some uses of the ``X509`` API.

Don't use things after they're freed...duh #709

Don't use things after they're freed...duh #709

Conversation

alex commented Nov 20, 2017

codecov bot commented Nov 20, 2017 • edited

Codecov Report

reaperhulk Nov 20, 2017

Choose a reason for hiding this comment

codecov bot commented Nov 20, 2017 •

edited