[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
** Changed in: evolution Importance: Unknown = Critical -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
this bug is fixed in evolution 2.30.1 which is now in Maverick ** Changed in: evolution (Ubuntu) Status: Fix Committed = Fix Released -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
** Branch linked: lp:ubuntu/evolution-data-server -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
** Changed in: evolution Status: New = Fix Released -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
this was fixed upstream on : Created commit 500e0e9 in eds master (2.31.1+) Created commit 5cfb419 in eds gnome-2-30 (2.30.1+) ** Changed in: evolution (Ubuntu) Status: Triaged = Fix Committed -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
Since bug 384716 is marked as a duplicate, commenting here. The problem reported in 384716 is definitely have nothing to do with sender address, but rather IMAP decoding. In my case, problem triggered on e-mails from exactly one person and only using IMAP provided by safesecureweb.com mail hosting. $ telnet mail36.safesecureweb.com imap Connected to mail36.safesecureweb.com. Escape character is '^]'. * OK IMAP4rev1 SmarterMail GMail IMAP brings these very same messages absolutely ok. If needed, I can try to arrange an account for testing. Although, not 100% sure. Please contact me directly for this via dmelentyev AT dynamo-ny DOT com. -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
Well, after quict look at code in camel/providers/imap/camel-imap-utils.c: ( http://git.gnome.org./cgit/evolution-data-server/tree/camel/providers/imap/camel-imap-utils.c?id=6be48b0f55981e67fab9f8243d2d504387dc5691 ) if (g_ascii_strncasecmp (inptr, nil, 3) != 0) { 923:subtype = imap_parse_string (inptr, len); } else { subtype = NULL; inptr += 3; } ctype = camel_content_type_new (multipart, subtype ? subtype : mixed); g_free (subtype); 932:if (*inptr++ != ')') { camel_content_type_unref (ctype); return NULL; } And then checking imap_parse_string_generic (which is what imap_parse_string() mapped to via #define ) Reveals that inptr MUST be checked for being NULL after the call. From imap_parse_string_generic in-file doc: * Return value: the parsed string, or %NULL if a NIL or no string * was parsed. (In the former case, *...@str_p will be %NULL; in the * latter, it will point to the character after the NIL.) Conclusion: 1. inptr could need duplicating before call to imap_body_decode(), because it's value is not constant 2. inptr MUST be checked for NULL after the call IMHO - this is a clear bug, even more, specially crafted e-mail and/or IMAP server could exploit this bug for DoS at end-user side. So, could be even a security issue. -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
Also, it is quite easy to break the stack with very deep recursion here (same function, imap_body_decode()): 896:if (*inptr++ != '(') return NULL; if (ci == NULL) { ci = camel_folder_summary_content_info_new (folder-summary); g_ptr_array_add (cis, ci); } 904:if (*inptr == '(') { /* body_type_mpart */ CamelMessageContentInfo *tail, *children = NULL; tail = (CamelMessageContentInfo *) children; do { /*!!!*/ if (!(child = imap_body_decode (inptr, NULL, folder, cis))) return NULL; child-parent = ci; tail-next = child; tail = child; 917:} while (*inptr == '('); Just imagine inptr points to a string with some thousands of '('s. I might be wrong or outdated in exact stack calculations, but supposing at least 20 bytes of stack per call (ret ptr + 4 pointers in arguments, 4 bytes per pointer) and 2Mb thread stack will result in maximum level of recursion equal 104857 2*1024*1024/20 = 104857 Add here some memory alignment, other calls in this thread's stack, variables... Stack is not that deep actually. I'd rather expect no more than 5-10 thousand calls. And I hardly see any checks for this case or any attempt to roll out this recursion into a loop. I consider the code dangerous and significantly broken. :( -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
Wow, CamelMessageContentInfo *tail and imap_body_decode() recursion! Probably the author did forget that he wasn't writing in Haskell and the C++ compiler won't do tail recursion optimization for this code :))) -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
** Changed in: evolution Status: Unknown = New -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
thanks for your report, that's known upstream, you can track it here: http://bugzilla.gnome.org/show_bug.cgi?id=520233 ** Bug watch added: GNOME Bug Tracker #520233 http://bugzilla.gnome.org/show_bug.cgi?id=520233 ** Also affects: evolution via http://bugzilla.gnome.org/show_bug.cgi?id=520233 Importance: Unknown Status: Unknown ** Changed in: evolution (Ubuntu) Assignee: (unassigned) = Ubuntu Desktop Bugs (desktop-bugs) Status: New = Triaged -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
StacktraceTop:imap_body_decode (in=0xb2d6d1d8, ci=0xb4827100, folder=0xb4802820, cis=0xb48332a0) imap_parse_body (body_p=0xb2d6d234, folder=0xb4802820, ci=0xb4827100) imap_get_message (folder=0xb4802820, uid=0x850c8a0 137, ex=0xb4800af4) camel_folder_get_message (folder=0xb4802820, uid=0x850c8a0 137, ex=0xb4800af4) get_message_exec (m=0xb4800ae0) at mail-ops.c:1720 ** Tags removed: need-i386-retrace ** Attachment removed: CoreDump.gz http://launchpadlibrarian.net/14476916/CoreDump.gz ** Attachment added: Stacktrace.txt (retraced) http://launchpadlibrarian.net/14514333/Stacktrace.txt -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 229669] Re: evolution crashed with SIGSEGV after opening email with attachment
** Visibility changed to: Public -- evolution crashed with SIGSEGV after opening email with attachment https://bugs.launchpad.net/bugs/229669 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs