esekeyd crashes with exit status 139. We confirmed the crash by
re-running it in a fresh debian unstable installation.

The attachment [1] contains a testcase (under ./crash) crashing the
program. It ensures that you can easily reproduce the bug. Additionally,
under ./crash_info/, we include more information about the crash such as
a core dump, the dmesg generated by the crash, and its output.

Regards,
The Mayhem Team (Alexandre Rebert, Thanassis Avgerinos, Sang Kil Cha, David Brumley, Manuel Egele)
Cylab, Carnegie Mellon University

[1] http://www.forallsecure.com/bug-reports/b1de88e38b0a87de4c8dfb0cd10b31f315678f0f/full_report

The problem seem to be non-robust parsing of input data.  The following
patch change the handling to return an error and exit.

diff --git a/src/esekeyd.c b/src/esekeyd.c
index e9cc06b..572dcc4 100644
--- a/src/esekeyd.c
+++ b/src/esekeyd.c
@@ -174,6 +174,10 @@ int main (int argc, char *argv[])

                 keys = (struct esekey *) realloc (keys, (keycount +1) * sizeof (struct esekey));
                 separator = strchr(buff, ':');
+                if (NULL == separator) {
+                    printf("error locating key separator info\n");
+                    return -1;
+                }
                 keys[keycount].command = (char *) malloc (read - (separator - buff));
                 memcpy (keys[keycount].command, separator + 1, read - (separator - buff));
                 separator[0] = '\0';

I do not know the program enough to come up with a sensible error
message, so take that part with a grain of salt. :)

CC to upstream, see <URL: https://bugs.debian.org/715870 > for the original report.

Note, the requestor email address, alexandre (at) cmu.edu, is no longer
working.