GNOME Bugzilla – Bug 430420
crash in Evolution: IMAP server sent respons...
Last modified: 2007-11-22 10:14:35 UTC
What were you doing when the application crashed? IMAP server sent response to FETCH BODY containing size=0 Distribution: Gentoo Base System release 1.12.9 Gnome Release: 2.16.2 2007-01-28 (Gentoo) BugBuddy Version: 2.16.0 Memory status: size: 362344448 vsize: 362344448 resident: 25038848 share: 17121280 rss: 25038848 rss_rlim: -1 CPU usage: start_time: 1176753747 rtime: 87 utime: 78 stime: 9 cutime:0 cstime: 0 timeout: 0 it_real_value: 0 frequency: 100 Backtrace was generated from '/usr/bin/evolution-2.8' (no debugging symbols found) Using host libthread_db library "/lib/libthread_db.so.1". (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 47410810171248 (LWP 8861)] [New Thread 1115703616 (LWP 8896)] [New Thread 1107310912 (LWP 8874)] [New Thread 1098918208 (LWP 8871)] [New Thread 1090525504 (LWP 8870)] [New Thread 1082132800 (LWP 8869)] 0x00002b1ead9fdaef in waitpid () from /lib/libpthread.so.0
+ Trace 128315
Thread 3 (Thread 1107310912 (LWP 8874))
*** Bug 430426 has been marked as a duplicate of this bug. ***
Please don't report same bug many times :-) Thanks for the bug report. Unfortunately, that stack trace is not very useful in determining the cause of the crash. Could you please install some debugging packages [1] and reproduce the crash, if possible? Once bug-buddy pops up, you can find the stacktrace in the "details", now containing way more information. Please copy that stacktrace and paste it as a comment here. Thanks! [1] debugging packages for evolution, evolution-data-server and gtkhtml, plus debugging packages for some basic GNOME libs. More details can be found here: http://live.gnome.org/GettingTraces/DistroSpecificInstructions
FWIW this bug can be reproduced consistently by returning a negative size value in the FETCH RESPONSE. Only positive values are allowed by IMAP4Rev1 but evolution does not check this value and uses this value as a pointer to memory. This is really not a good idea. Potentially, this is a remote exploit.
Created attachment 96118 [details] [review] proposed eds patch for evolution-data-server; Here's a patch as you suggested. It's only in a standard IMAP backend used in evolution. Could you try to apply and test it for me, please? I'm not able to manipulate with my IMAP server in such a way, so your help will be very appreciated. Thanks in advance. BTW: I hope I didn't screw up your name in ChangeLog :)
Hi Milan Thanks for taking a look at this It may be a day or two but I hope get to trying your patch sometime this week. I should have full interaction scripts (I usually develop with client and server output streams forked to file) for the bad input which I can contribute if this would be useful to you. Robert PS I use my full middle name for FOSS (my Dad is and my Granddad was plain Robert Donkin) so it's Robert Burrell Donkin (but I really should have updated by profile) but it's not a big deal.
I can't replicate with Evolution 2.10.3 (it prefers to FETCH BODY[] to FETCH BODY) so I can't test the patch. I can probably dig out some old scripts (raw input and output logged by the server) if that's any use. From the code, I think that it should get fix the issue. Thanks for taking a look and sorry that I can be more helpful.
In either case, Sankar can you review this?
The patch correctly detects +ve or -ve size. And hence approved. Commit it to stable branch as well as trunk.
Committed to trunk. Committed revision 8186. Committed to stable. Committed revision 8187.
Merged with Camel-lite: http://www.tinymail.org/trac/tinymail/changeset/2908
*** Bug 463610 has been marked as a duplicate of this bug. ***
*** Bug 482510 has been marked as a duplicate of this bug. ***
*** Bug 494190 has been marked as a duplicate of this bug. ***
*** Bug 496062 has been marked as a duplicate of this bug. ***
*** Bug 274128 has been marked as a duplicate of this bug. ***