[Bug 608085] Re: Buffer overflow when opening mail with calendar.vcf tnef attachment

[Anze Zagar]

It is obviously a ytnef library issue. The attached winmail.dat extracts
ok with tnef-1.4.6-1 but with ytnef-2.6-2ubuntu1  libytnef0-1.5-2 I
get:

$ ytnef -f . winmail.dat 
./calendar.vcf
*** buffer overflow detected ***: ytnef terminated
=== Backtrace: =
/lib/libc.so.6(__fortify_fail+0x37)[0x7f3485df0207]
/lib/libc.so.6(+0xfe0c0)[0x7f3485def0c0]
/usr/lib/libytnef.so.0(DecompressRTF+0x3c)[0x7f34860764ec]
ytnef[0x4033b3]
ytnef[0x403b3a]
ytnef[0x40404f]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f3485d0fc4d]
ytnef[0x400cf9]
=== Memory map: 
0040-00406000 r-xp  08:06 28529  
/usr/bin/ytnef
00605000-00606000 r--p 5000 08:06 28529  
/usr/bin/ytnef
00606000-00607000 rw-p 6000 08:06 28529  
/usr/bin/ytnef
01898000-018b9000 rw-p  00:00 0  [heap]
7f3485ada000-7f3485af r-xp  08:06 21166  
/lib/libgcc_s.so.1
7f3485af-7f3485cef000 ---p 00016000 08:06 21166  
/lib/libgcc_s.so.1
7f3485cef000-7f3485cf r--p 00015000 08:06 21166  
/lib/libgcc_s.so.1
7f3485cf-7f3485cf1000 rw-p 00016000 08:06 21166  
/lib/libgcc_s.so.1
7f3485cf1000-7f3485e6b000 r-xp  08:06 16179  
/lib/libc-2.11.1.so
7f3485e6b000-7f348606a000 ---p 0017a000 08:06 16179  
/lib/libc-2.11.1.so
7f348606a000-7f348606e000 r--p 00179000 08:06 16179  
/lib/libc-2.11.1.so
7f348606e000-7f348606f000 rw-p 0017d000 08:06 16179  
/lib/libc-2.11.1.so
7f348606f000-7f3486074000 rw-p  00:00 0 
7f3486074000-7f348607b000 r-xp  08:06 30693  
/usr/lib/libytnef.so.0.0.0
7f348607b000-7f348627a000 ---p 7000 08:06 30693  
/usr/lib/libytnef.so.0.0.0
7f348627a000-7f348627b000 r--p 6000 08:06 30693  
/usr/lib/libytnef.so.0.0.0
7f348627b000-7f3486289000 rw-p 7000 08:06 30693  
/usr/lib/libytnef.so.0.0.0
7f3486289000-7f348628a000 rw-p  00:00 0 
7f348628a000-7f34862aa000 r-xp  08:06 9765   
/lib/ld-2.11.1.so
7f348647d000-7f348648 rw-p  00:00 0 
7f34864a6000-7f34864aa000 rw-p  00:00 0 
7f34864aa000-7f34864ab000 r--p 0002 08:06 9765   
/lib/ld-2.11.1.so
7f34864ab000-7f34864ac000 rw-p 00021000 08:06 9765   
/lib/ld-2.11.1.so
7f34864ac000-7f34864ad000 rw-p  00:00 0 
7fff5e5c7000-7fff5e5dc000 rw-p  00:00 0  [stack]
7fff5e5ff000-7fff5e60 r-xp  00:00 0  [vdso]
ff60-ff601000 r-xp  00:00 0  
[vsyscall]
Aborted


** Attachment added: Problematic winmail.dat file
   http://launchpadlibrarian.net/52518889/winmail.dat

-- 
Buffer overflow when opening mail with calendar.vcf tnef attachment
https://bugs.launchpad.net/bugs/608085
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 608085] [NEW] Buffer overflow when opening mail with calendar.vcf tnef attachment

[Anze Zagar]

Public bug reported:

Binary package hint: evolution

Ubuntu 10.04 LTS, Evolution 2.28.3-0ubuntu10

After accepting an appointment invitation in Outlook 2007 MS Exchange
client, moving it to another IMAP account and then opening it from there
with Evolution, I get a buffer overflow and Evolution crashes. Error
obviously occurs in tnef plugin (libytnef.so.0 of libytnef0-1.5-2 in
particular). It does not occur if I remove evolution-plugins-
experimental-2.28.3-0ubuntu10. Evolution 2.30 (from ppa:jacob/evo230)
does not resolve this issue either.

Here is the error dump:

/home/anzez/.evolution/cache/tmp/tnef-attachment-SCDwr8/calendar.vcf
*** buffer overflow detected ***: evolution terminated
=== Backtrace: =
/lib/libc.so.6(__fortify_fail+0x37)[0x7fa9065e7207]
/lib/libc.so.6(+0xfe0c0)[0x7fa9065e60c0]
/usr/lib/libytnef.so.0(DecompressRTF+0x3c)[0x7fa8f7d9c4ec]
/usr/lib/evolution/2.28/plugins/liborg-gnome-tnef-attachments.so(saveVCalendar+0x3f3)[0x7fa8f7fb41b3]
/usr/lib/evolution/2.28/plugins/liborg-gnome-tnef-attachments.so(processTnef+0x28d)[0x7fa8f7fb490d]
/usr/lib/evolution/2.28/plugins/liborg-gnome-tnef-attachments.so(org_gnome_format_tnef+0xfc)[0x7fa8f7fb4d8c]
/usr/lib/evolution/2.28/libeutil.so.0(+0x2b192)[0x7fa91070a192]
/usr/lib/evolution/2.28/components/libevolution-mail.so(+0x37c72)[0x7fa8fbed1c72]
/usr/lib/evolution/2.28/components/libevolution-mail.so(+0x3b1d7)[0x7fa8fbed51d7]
/usr/lib/evolution/2.28/libevolution-mail-shared.so.0(em_format_part_as+0xfd)[0x7fa8fbc4a41d]
/usr/lib/evolution/2.28/libevolution-mail-shared.so.0(em_format_part+0x52)[0x7fa8fbc4a5e2]
/usr/lib/evolution/2.28/libevolution-mail-shared.so.0(+0x54302)[0x7fa8fbc4b302]
/usr/lib/evolution/2.28/libevolution-mail-shared.so.0(em_format_part_as+0x15e)[0x7fa8fbc4a47e]
/usr/lib/evolution/2.28/libevolution-mail-shared.so.0(em_format_part+0x52)[0x7fa8fbc4a5e2]
/usr/lib/evolution/2.28/components/libevolution-mail.so(+0x3e0ee)[0x7fa8fbed80ee]
/usr/lib/evolution/2.28/components/libevolution-mail.so(+0x3ce60)[0x7fa8fbed6e60]
/usr/lib/evolution/2.28/libevolution-mail-shared.so.0(+0x691df)[0x7fa8fbc601df]
/lib/libglib-2.0.so.0(+0x69a5f)[0x7fa9068d4a5f]
/lib/libglib-2.0.so.0(+0x67b84)[0x7fa9068d2b84]
/lib/libpthread.so.0(+0x69ca)[0x7fa90d4e79ca]
/lib/libc.so.6(clone+0x6d)[0x7fa9065ce6fd]
=== Memory map: 
0040-0042 r-xp  08:06 15639  
/usr/bin/evolution
0062-00621000 r--p 0002 08:06 15639  
/usr/bin/evolution
00621000-00625000 rw-p 00021000 08:06 15639  
/usr/bin/evolution
01a5b000-024a2000 rw-p  00:00 0  [heap]
7fa8dc538000-7fa8dc53c000 rw-p  00:00 0 
7fa8dc53c000-7fa8dc53e000 rw-p  00:00 0 
7fa8dcd3f000-7fa8dcd4 ---p  00:00 0 
7fa8dcd4-7fa8dd54 rw-p  00:00 0 
7fa8dd54-7fa8dd541000 ---p  00:00 0 
7fa8dd541000-7fa8ddd41000 rw-p  00:00 0 
7fa8ddd41000-7fa8e1d42000 rw-s  00:10 76443  
/dev/shm/pulse-shm-425152416
7fa8e1d42000-7fa8e1f05000 r-xp  08:06 79504  
/usr/lib/libvorbisenc.so.2.0.6
7fa8e1f05000-7fa8e2105000 ---p 001c3000 08:06 79504  
/usr/lib/libvorbisenc.so.2.0.6
7fa8e2105000-7fa8e211c000 r--p 001c3000 08:06 79504  
/usr/lib/libvorbisenc.so.2.0.6
7fa8e211c000-7fa8e211d000 rw-p 001da000 08:06 79504  
/usr/lib/libvorbisenc.so.2.0.6
7fa8e211d000-7fa8e2166000 r-xp  08:06 79489  
/usr/lib/libFLAC.so.8.2.0
7fa8e2166000-7fa8e2366000 ---p 00049000 08:06 79489  
/usr/lib/libFLAC.so.8.2.0
7fa8e2366000-7fa8e2367000 r--p 00049000 08:06 79489  
/usr/lib/libFLAC.so.8.2.0
7fa8e2367000-7fa8e2368000 rw-p 0004a000 08:06 79489  
/usr/lib/libFLAC.so.8.2.0
7fa8e2368000-7fa8e23c6000 r-xp  08:06 79511  
/usr/lib/libsndfile.so.1.0.21
7fa8e23c6000-7fa8e25c6000 ---p 0005e000 08:06 79511  
/usr/lib/libsndfile.so.1.0.21
7fa8e25c6000-7fa8e25c8000 r--p 0005e000 08:06 79511  
/usr/lib/libsndfile.so.1.0.21
7fa8e25c8000-7fa8e25c9000 rw-p 0006 08:06 79511  
/usr/lib/libsndfile.so.1.0.21
7fa8e25c9000-7fa8e25cd000 rw-p  00:00 0 
7fa8e25cd000-7fa8e25d6000 r-xp  08:06 65675  
/lib/libwrap.so.0.7.6
7fa8e25d6000-7fa8e27d5000 ---p 9000 08:06 65675  
/lib/libwrap.so.0.7.6
7fa8e27d5000-7fa8e27d6000 r--p 8000 08:06 65675  
/lib/libwrap.so.0.7.6
7fa8e27d6000-7fa8e27d7000 rw-p 9000 08:06 65675  
/lib/libwrap.so.0.7.6
7fa8e27d7000-7fa8e27d8000 rw-p  00:00 0 
7fa8e27d8000-7fa8e2823000 r-xp  08:06 22719  
/usr/lib/libpulsecommon-0.9.21.so
7fa8e2823000-7fa8e2a22000 ---p 0004b000 08:06 22719  

[Bug 608085] Re: Buffer overflow when opening mail with calendar.vcf tnef attachment

[Anze Zagar]

** Attachment added: Dependencies.txt
   http://launchpadlibrarian.net/52247850/Dependencies.txt

-- 
Buffer overflow when opening mail with calendar.vcf tnef attachment
https://bugs.launchpad.net/bugs/608085
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs