Don't use things after they're freed...duh #709

alex · 2017-11-20T12:25:36Z

No description provided.

codecov · 2017-11-20T12:33:34Z

Codecov Report

Merging #709 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #709      +/-   ##
==========================================
+ Coverage   97.01%   97.02%   +<.01%     
==========================================
  Files          16       16              
  Lines        5631     5647      +16     
  Branches      391      392       +1     
==========================================
+ Hits         5463     5479      +16     
  Misses        112      112              
  Partials       56       56

Impacted Files	Coverage Δ
src/OpenSSL/SSL.py	`94.87% <100%> (-0.02%)`	⬇️
src/OpenSSL/crypto.py	`96.86% <100%> (+0.05%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c3697ad...08f0af7. Read the comment docs.

reaperhulk · 2017-11-20T13:44:19Z

CHANGELOG.rst


+- Corrected a use-after-free with some uses of the ``X509`` API.


Should we add a sentence here to state that referencing a previously obtained issuer/subject after a subsequent set call will now raise an exception?

169: Scheduled weekly dependency update for week 48 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>hypothesis</b></td> <td align="center">3.38.0</td> <td align="center">»</td> <td align="center">3.38.5</td> <td> <a href="https://pypi.python.org/pypi/hypothesis">PyPI</a> | <a href="https://pyup.io/changelogs/hypothesis/">Changelog</a> | <a href="https://github.com/HypothesisWorks/hypothesis/issues">Repo</a> </td> <tr> <td><b>pyasn1-modules</b></td> <td align="center">0.1.5</td> <td align="center">»</td> <td align="center">0.2.1</td> <td> <a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a> </td> <tr> <td><b>pyasn1</b></td> <td align="center">0.3.7</td> <td align="center">»</td> <td align="center">0.4.2</td> <td> <a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.3.0</td> <td align="center">»</td> <td align="center">17.4.0</td> <td> <a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> <tr> <td><b>pyrsistent</b></td> <td align="center">0.14.0</td> <td align="center">»</td> <td align="center">0.14.1</td> <td> <a href="https://pypi.python.org/pypi/pyrsistent">PyPI</a> | <a href="https://pyup.io/changelogs/pyrsistent/">Changelog</a> | <a href="http://github.com/tobgu/pyrsistent/">Repo</a> </td> </tr> </table> ## Changelogs ### hypothesis 3.38.0 -> 3.38.5 >### 3.38.5 >------------------- >This fixes the repr of strategies using lambda that are defined inside >decorators to include the lambda source. >This would mostly have been visible when using the >:ref:`statistics <statistics>` functionality - lambdas used for e.g. filtering >would have shown up with a ``<unknown>`` as their body. This can still happen, >but it should happen less often now. >------------------- >### 3.38.4 >------------------- >This release updates the reported :ref:`statistics <statistics>` so that they >show approximately what fraction of your test run time is spent in data >generation (as opposed to test execution). >This work was funded by `Smarkets <https://smarkets.com/>`_. >------------------- >### 3.38.3 >------------------- >This is a documentation release, which ensures code examples are up to date >by running them as doctests in CI (:issue:`711`). >------------------- >### 3.38.2 >------------------- >This release changes the behaviour of the :attr:`~hypothesis.settings.deadline` >setting when used with :func:`~hypothesis.strategies.data`: Time spent inside >calls to ``data.draw`` will no longer be counted towards the deadline time. >As a side effect of some refactoring required for this work, the way flaky >tests are handled has changed slightly. You are unlikely to see much difference >from this, but some error messages will have changed. >This work was funded by `Smarkets <https://smarkets.com/>`_. >------------------- >### 3.38.1 >------------------- >This patch has a variety of non-user-visible refactorings, removing various >minor warts ranging from indirect imports to typos in comments. >------------------- ### pyopenssl 17.3.0 -> 17.4.0 >### 17.4.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >*none* >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Re-added a subset of the ``OpenSSL.rand`` module. > This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. > `708 <https://github.com/pyca/pyopenssl/pull/708>`_ >- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. > `709 <https://github.com/pyca/pyopenssl/pull/709>`_ >---- ### pyrsistent 0.14.0 -> 0.14.1 >### 0.14.1 > * Equality check performance improvements for pvectors and pmaps. Thanks dtomas for this! > * Avoid calling factories multiple times for fields that do not change, see PR 120 for for > details. Thanks teepark for this! That's it for now! Happy merging! 🤖

162: Scheduled weekly dependency update for week 48 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>pyasn1-modules</b></td> <td align="center">0.1.5</td> <td align="center">»</td> <td align="center">0.2.1</td> <td> <a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a> </td> <tr> <td><b>pyasn1</b></td> <td align="center">0.3.7</td> <td align="center">»</td> <td align="center">0.4.2</td> <td> <a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.3.0</td> <td align="center">»</td> <td align="center">17.4.0</td> <td> <a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> <tr> <td><b>pyrsistent</b></td> <td align="center">0.14.0</td> <td align="center">»</td> <td align="center">0.14.1</td> <td> <a href="https://pypi.python.org/pypi/pyrsistent">PyPI</a> | <a href="https://pyup.io/changelogs/pyrsistent/">Changelog</a> | <a href="http://github.com/tobgu/pyrsistent/">Repo</a> </td> </tr> </table> ## Changelogs ### pyopenssl 17.3.0 -> 17.4.0 >### 17.4.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >*none* >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Re-added a subset of the ``OpenSSL.rand`` module. > This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. > `708 <https://github.com/pyca/pyopenssl/pull/708>`_ >- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. > `709 <https://github.com/pyca/pyopenssl/pull/709>`_ >---- ### pyrsistent 0.14.0 -> 0.14.1 >### 0.14.1 > * Equality check performance improvements for pvectors and pmaps. Thanks dtomas for this! > * Avoid calling factories multiple times for fields that do not change, see PR 120 for for > details. Thanks teepark for this! That's it for now! Happy merging! 🤖

120: Scheduled weekly dependency update for week 48 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>pyasn1-modules</b></td> <td align="center">0.1.5</td> <td align="center">»</td> <td align="center">0.2.1</td> <td> <a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a> </td> <tr> <td><b>pyasn1</b></td> <td align="center">0.3.7</td> <td align="center">»</td> <td align="center">0.4.2</td> <td> <a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.3.0</td> <td align="center">»</td> <td align="center">17.4.0</td> <td> <a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> </tr> </table> ## Changelogs ### pyopenssl 17.3.0 -> 17.4.0 >### 17.4.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >*none* >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Re-added a subset of the ``OpenSSL.rand`` module. > This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. > `708 <https://github.com/pyca/pyopenssl/pull/708>`_ >- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. > `709 <https://github.com/pyca/pyopenssl/pull/709>`_ >---- That's it for now! Happy merging! 🤖

alex added 2 commits November 15, 2017 19:20

Don't use things after they're freed...duh

2e194f6

changelog

f4fa8ec

Merge branch 'master' into use-after-free-is-a-crime

32b97a5

reaperhulk reviewed Nov 20, 2017

View reviewed changes

more details

08f0af7

reaperhulk approved these changes Nov 20, 2017

View reviewed changes

reaperhulk merged commit 4aa52c3 into pyca:master Nov 20, 2017

alex deleted the use-after-free-is-a-crime branch November 20, 2017 14:15

github-actions bot locked as resolved and limited conversation to collaborators Aug 16, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't use things after they're freed...duh #709

Don't use things after they're freed...duh #709

alex commented Nov 20, 2017

codecov bot commented Nov 20, 2017 •

edited

reaperhulk Nov 20, 2017


		- Corrected a use-after-free with some uses of the ``X509`` API.

Don't use things after they're freed...duh #709

Don't use things after they're freed...duh #709

Conversation

alex commented Nov 20, 2017

codecov bot commented Nov 20, 2017 • edited

Codecov Report

reaperhulk Nov 20, 2017

Choose a reason for hiding this comment

codecov bot commented Nov 20, 2017 •

edited