#1137320 libstring-compare-constanttime-perl: Debian patch for CVE-2024-13939 in trixie causes random segfaults due to random memory reads

Package:
libstring-compare-constanttime-perl
Source:
libstring-compare-constanttime-perl
Description:
module for protecting string comparison from timing attacks
Submitter:
Matthew Horsfall (alh)
Date:
2026-06-26 15:33:01 UTC
Severity:
normal
#1137320#5
Date:
2026-05-22 13:16:37 UTC
From:
To:
Dear Maintainer,

I noticed on Trixie that my code using String::Compare::ConstantTime would randomly crash.

In debugging it, I isolated the problem to the patch included in Debian for CVE-2024-13939
seen here: https://sources.debian.org/patches/libstring-compare-constanttime-perl/0.321-3/

The patch constructs a memory address from two different pointers, which, if the high bits
of one pointer does not match the high bits of the other pointer, points to a random
memory location. Reading from that location causes a segfault:

    +  unsigned char *s;
    +  unsigned char r;
    +  uintptr_t mask;
    +
    +  /* Orchestrate a dummy compare which never matches and whose run-time does
    +   * not stand out if a_len != b_len */
    +  r = (a_len != b_len);
    +  /* Branching-less: s = (r) ? b : a */
    +  mask = 0u - r;
    +  s = (unsigned char *)(((uintptr_t)b & mask) | ((uintptr_t)a & ~mask));
    +
    +  for (i = 0; i < b_len; i++) {
    +    r |= *s++ ^ *b++;
       }

For more details and a reproducer, see:

https://github.com/hoytech/String-Compare-ConstantTime/pull/21/#pullrequestreview-4345646603

Thanks,

#1137320#10
Date:
2026-06-26 15:31:51 UTC
From:
To:
Hi, any word on this? It still appears broken in Trixie.

Thanks,