Hi, I had sent this but I haven't seen it appear in the bug, so re-sending it again, in case I did something wrong:
I have applied a patch, built the package, installed it and confirmed Evolution is working again and the crash related to microsoft-identity-broker no longer occurs. I am attaching both a debdiff and a quilt patch file, in case these are useful and can be reviewed, and the patch (or a similar one created based on the fix suggested) incorporated to Debian packaging. Thank you very much, Kind Regards, Jonas.
Description: Fix NULL dereference when broker returns no PRT SSO cookie When microsoft-identity-broker 3.0.1 returns an error response or omits the cookieName/cookieContent fields, json_object_get_string_member() returns NULL, causing soup_cookie_new() to return NULL. The subsequent unguarded call to soup_cookie_set_secure() then crashes with SIGSEGV in evolution-source-registry on startup. Add a NULL check after soup_cookie_new() and propagate a descriptive G_IO_ERROR_INVALID_DATA error to the caller instead. Origin: other Bug-Debian: https://bugs.debian.org/1133124 Bug: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/635 Forwarded: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/635 Author: Jonas <[email protected]> Last-Update: 2026-04-10 --- a/src/libedataserver/e-ms-oapxbc.c +++ b/src/libedataserver/e-ms-oapxbc.c @@ -372,6 +372,12 @@ /* [ms-oapxbc] is only supported on Microsoft Entra ID */ "login.microsoftonline.com", "/", -1); + if (!soup_cookie) { + g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA, + _("Failed to create PRT SSO cookie: broker response missing cookieName or cookieContent")); + g_clear_object (&parser); + return NULL; + } soup_cookie_set_secure (soup_cookie, TRUE); soup_cookie_set_http_only (soup_cookie, TRUE);
evolution-data-server_3.56.2-8_3.56.2-9.debdiff
Description: Binary data
